Sponsored by..

Tuesday, 27 November 2012

FedEx spam / PostalReceipt.zip


A slightly new take on the malicious FedEx spam we've seen recently. This time, the link in the email goes to a hacked domain to download an attachment called PostalReceipt.zip

Date:      Tue, 27 Nov 2012 13:04:37 -0400
From:      "Office Mail" [no_replyFRL@cleveland.com]
Subject:      ID (I)JI74 384 428 2295 7492

FedEx   
  
Order: AX-7608-99659670234   
Order Date: Sunday, 25 November 2012, 10:35 AM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

GET POSTAL RECEIPT


Best Regards, The FedEx Team.
  
� FedEx 1995-2012 
In this case the download site was [donotclick]amsterdam.cathedralsoft.com/TFOIATVZVT.html hosted on 46.105.140.157 (OVH, Spain). www.cathedralsoft.com is hosted on 94.23.187.176 (also OVH, Spain). It looks like cathedralsoft.com have been compromised in this attack.

VirusTotal detection rates are very low. I don't currently have an analysis of the malicious payload.

Update: here is another variant, downloading from  [donotclick]brandandreputation.net/NOHDPQWPJJ.html  (195.249.40.193, TeamInternet Denmark)

Date:      Wed, 28 Nov 2012 A.D. 07:34:52 -0400
From:      "First-Class UPS logistics" [no.reply-FG@houston.com]
Subject:      Tracking Number (A)PSO79 089 360 1947 4933

FedEx    
   
Order: MN-8474-09876452234    
Order Date: Sunday, 24 November 2012, 11:36 AM

Dear Customer,

Your parcel has arrived at the post office at November 26.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

Detection rates are pretty miserable for this one too. It looks like a Bredolab variant.

Update 2:  another variant of the malware, this time downloading via [donotclick]www.cantoncityutah.com/OXSJOVVYOE.html (this tries to open PostalReceipt.zip in a window). Again, VirusTotal detection is not good.


Date:      Thu, 29 Nov 2012 A.D. 14:29:38 +0200
From:      "Office Mail" [NoReply@baltimore.com]
Subject:      Tracking Number (K)IR46 545 922 5276 0059

FedEx    
   
Order: HD-5468-483254683    
Order Date: Monday, 25 November 2012, 03:41 PM

Dear Customer,

Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     

Update 3: yet another variant.. the payload wasn't working on this one though.

Date:      Fri, 30 Nov 2012 A.D. 07:57:38 -0400
From:      "First-Class logistics" [NoReply.368@tucson.com]
Subject:      Number (N)GDE82 422 446 0527 6243



FedEx
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 4: this variant attempts to download [donotclick]catercut.ie/Postal-Receipt.zip (VirusTotal results here) via [donotclick]catercut.ie/KANHEPGVVM.html:

Date:      Fri, 30 Nov 2012 A.D. 14:33:35 -0400
From:      "UPS Mail" [NOreplyEAY@baltimore.com]
Subject:      ID (P)NRB90 564 295 9947 6165

FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012     
Update 5: another spam run, same payload as last time (updated VirusTotal results here). Link leads to [donotreply]drillsaw.com.au/VYWFBRIUBU.html which leads to a payload at [donotreply]drillsaw.com.au/Postal-Receipt.zip

Date:      Fri, 30 Nov 2012 A.D. 22:47:44 -0700
From:      "logistics UPS" [no.reply-UAC@losangeles.com]
Subject:      Tracking Detail (L)OK73 487 973 8524 5206


FedEx    
   
Order: HD-5468-483254683    
Order Date: Tuesday, 26 November 2012, 10:17 AM

Dear Customer,

Your parcel has arrived at the post office at November 28.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 6: yet another variant, this time downloading from [donotclick]exodionline.com/job.php?php=receipt (VirusTotal results here).

Date:      Sun, 02 Dec 2012 A.D. 15:13:18 -0400
From:      "UPS Receipt" [NOreply.815@irvine.com]
Subject:      Tracking ID (T)SB58 793 555 5502 9056

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 7: this variant downloads from [donotclick]www.850spider.de/TYKXVHIFQH.html (report here):


Date:      Sat, 01 Dec 2012 A.D. 19:50:18 -0500
From:      "First-Class logistics" [NoReply-QEP@baltimore.com]
Subject:      Tracking Detail (K)HW33 625 799 6339 9731

FedEx    
   
Order: RM-8723-2307345234    
Order Date: Monday, 19 November 2012, 09:32 AM

Dear Customer,

Your parcel has arrived at the post office at November 29.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    
Update 8: this one attempts (and fails) to download the payload from [donotclick]aucs.de/job.php?php=receipt - I haven't seen the payload for this yet.

Date:      Tue, 04 Dec 2012 05:13:30 -0600
From:      "U.P.S.Service" [no_replyQQW@tampa.com]
Subject:      Tracking Number (X)SO21 772 224 4605 7903

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Update 9: another slightly different version, this one 404s:

Date:      Wed, 05 Dec 2012 A.D. 06:52:19 -0400
From:      "U.P.S.Service" [NOreplyPCP@birmingham.com]
Subject:      ID (I)PFP44 818 840 9369 1257

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012
Update 10: another version, this downloads from [donotclick]gaffashion.de/KUHZNRQXSG.php?php=receipt , VirusTotal results are patchy.

Date:      Wed, 05 Dec 2012 13:21:13 -0400
From:      "logistics UPS" [no.replyDD@cincinnati.com]
Subject:      Tracking Number (O)UBF96 497 677 7945 1347

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Update 11: even more of these today, the volumes seem to be ramping up. Detection rates are pretty miserable.

Subjects spotted:
Tracking Detail (S)AR71 347 275 0953 6096
Number (H)OY68 102 257 0143 6263
Tracking Number (A)WF09 061 710 9662 3209
Tracking Detail (Y)XEY08 661 121 7788 5937
ID (T)TU26 454 839 5856 0273
Number (651)36-651-651-7313-7313
Number (N)QGW24 822 128 6967 5066
Tracking Detail (J)RD66 396 145 5017 2968
Tracking ID (G)EQI40 177 581 4008 9333 

Dowload sites:
[donotclick]www.andovar.de/LNYYNMZAMK.php?php=receipt
[donotclick]biggis-musiktruhe.de/PQRZPJPCBG.php?php=receipt
[donotclick]threesolution.org/OGIKYWHWNJ.php?php=receipt
[donotclick]s375670599.online.de/RTJQIUZQOJ.php?php=receipt
[donotclick]Joeyscafeok.com/PHLNPDFSRV.php?php=receipt
[donotclick]www.edibaer.at/CPDWHUDQDM.php?php=receipt

[donotclick]architetturapc.altervista.org/VOWORTEUWM.php?php=receipt
[donotclick]myinci.net/XIGTTUBPNV.php?php=receipt


Update 12: another version with a tweaked malicious binary:

Date:      Fri, 07 Dec 2012 08:33:17 -0400
From:      "UPS Receipt" [NOreply.IDH@riverside.com]
Subject:      ID (D)RH64 621 035 9749 7042

FedEx    
   
Order: SD-5468-482485468    
Order Date: Monday, 2 December 2012, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at December 4.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 

In this case, the link goes to [donotclick]www.dol2day.com/QGYAMKOOBH.php?php=receipt which downloads Postal-Receipt.zip containing Postal-Receipt.exe. The VirusTotal results are not good. Another version uses the subject Number (A)CV88 683 994 7812 3447 

Update 13another couple of variants, the payload has morphed again and VirusTotal results are predictably very poor.


Date:      Sun, 09 Dec 2012 A.D. 12:20:15 -0400
From:      "Priority Mail Postal Service" [GJX_308@neworleans.com]
Subject:      Tracking Detail (Y)VH30 307 516 2676 5647

FedEx    
Order: SGH-3818-3779326179    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

====================

Date:      Sat, 08 Dec 2012 14:11:29 -0700
From:      "UPS Receipt" [NOreply.094@shreveport.com]
Subject:      Number (X)UJ39 079 034 0694 8327

FedEx    
   
Order: SGH-0987-4616781861    
Order Date: Monday, 2 December 2012, 12:32 AM

Dear Customer,

Your parcel has arrived at the post office at December 7.Our postrider was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this postal receipt.

    GET POSTAL RECEIPT        
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

Some other subject lines:
Number (A)CFV63 149 496 9260 0620
Tracking Detail (S)ESQ89 729 953 7596 6283

Some download sites (don't visit these unless you know what you are doing)
www.musikschule-nvp.de/SNDDAAWTBR.php?php=receipt
www.mcfcdonegal.com/OPMUYUCCIV.php?php=receipt
www.beller-das.de/NWAPXATXVT.php?php=receipt
www.trude-hau-rein.de/UWQNZZWFXZ.php?php=receipt

Update 14: just in time for Christmas..

Date:      Tue, 25 Dec 2012 00:07:07 +0200
From:      "Office 852" [mu-852@orlando.com]
Subject:      Tracking Detail (193)92-193-193-9477-9477

FedEx    
   
Order: VGH-4658-1148074435    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.
DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
The binary has changed again, detection rates are patchy. Anubis reports that the malware calls home to 74.80.220.148:60000 which would make it a Zbot variant.

Update 15: this one loads via [donotclick]www.eurogleuf.nl/DERZRCUKKY.php?php=receipt , VitusTotal detection rates are just 7/46.

From:     Express Mail Service [user-989@louisville.com]
date:     26 December 2012 10:46
subject:     Tracking ID (580)53-580-580-3103-3103

FedEx    
   
Order: VGH-2024-9642451224    
Order Date: Friday, 14 December 2012, 01:21 PM

Dear Customer,

Your parcel has arrived at the post office at December 20.Our courier was unable to deliver the parcel to you.

To receive a parcel, please, go to the nearest our office and show this receipt.

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.

Update 16: just in time for New Year's day, this one loads via [donotclick]www.subclix.com/QJXBJWUUEJ.php?php=receipt. VT detections are again patchy.

Date:      Sun, 06 Jan 2013 A.D. 05:11:30 -0500
From:      "Worldwide Express Mail Service" <support_489@coloradosprings.com>
To:      [redacted]
Subject:      Tracking Number (I)FG03 107 566 0859 2689

FedEx    
   
Order: HJF-8295-96674032    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012

================


Date:      Sat, 05 Jan 2013 19:25:48 -0400
From:      "Worldwide Express Mail" <support.800@portland.com>
To:      [redacted]
Subject:      Number (M)EG25 627 586 0611 4432

*+++
FedEx   
   
Order: HJF-9667-27583280    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 A.D. 13:57:18 -0400
From:      "First-Class Mail Postal Service" <support.813@baltimore.com>
To:      [redacted]
Subject:      Number (V)TGS29 427 081 6880 9243

FedEx    
   
Order: HJF-3918-81582364    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012    

================


Date:      Sat, 05 Jan 2013 09:05:00 -0400
From:      "First-Class Mail Service" <DTU.160@baltimore.com>
To:      [redacted]
Subject:      Tracking Detail (S)JYD60 835 496 0448 5921

FedEx    
   
Order: HJF-8882-94725648    
Order Date: Thursday, 27 December 2012, 10:41 AM

Dear Customer,

Your parcel has arrived at the post office at December 31.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

DOWNLOAD POSTAL RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Example download sites:
[donotclick]omahadisability.com/UWOJIEUBLS.php?php=receipt
[donotclick]p-g-maintenance.co.uk/YLFDRZWNJP.php?php=receipt
[donotclick]cctvsecuritysystemshouston.com/XUAJAIPISI.php?php=receipt
[donotclick]itiyam.com/WEQOHWFEAK.php?php=receipt

Note the these URLs seem to be hardened against analysis, if you can't access them check your user agent and referrer strings.

Update 17: and more, this time with the following details:

Tracking Number (B)TXP55 992 494 4822 1645
Number (N)DD46 790 881 6344 2460

Order: HJF-4121-39707012
Order: HJF-2424-11089225

[donotclick]jcpub.com/SXYUXBKFQF.php?php=receipt
[donotclick]travelclinicsswansea.com/INJIETKYXV.php?php=receipt

 Update 18: another spam run, detection rates are a bit better for this one:

Date:      Wed, 09 Jan 2013 06:35:16 +0200
From:      "Shipping Service" [IAL_792@chesapeake.com]
Subject:      Tracking Detail (V)QT48 601 848 0556 8882

FedEx    
   
Order: JN-3254-98757378    
Order Date: Thursday, 3 January 2013, 11:23 AM

Dear Customer,

Your parcel has arrived at the post office at January 6.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
� FedEx 1995-2012 
Variants:
Tracking ID (R)EBE08 923 976 4800 2506
Tracking ID (Y)OKX60 559 414 2225 0045
Order: JN-8274-10502299
Order: JN-9593-93771591

Sample download sites:
[donotclick]fibam.be/CMNVTXINXV.php?php=receipt
[donotclick]sofa-session.ch/PRRVWKCUQJ.php?php=receipt

Update 19: another spam run with the following characteristics:

Subject: Tracking Number (E)KA09 359 952 5829 0864
Order: JN-9160-75660784
Download site: [donotclick]endlich-ein-dsl-anschluss.de/HUPAHPNHTC.php?receipt=ss00_323
VirusTotal report

Update 20: another one, this time downloading from [donotclick]businesscoaching24.com/BWMIZNPQAT.php?receipt=802_195210783

Date:      Sun, 27 Jan 2013 13:09:22 +0100
From:      "Priority Mail Postal Service" [clients-669@columbus.com]
Subject:      Number (L)BVT74 159 159 2182 2182

Fed Ex    
   
Order: HCD-7626-14749451    
Order Date: Thursday, 17 January 2013, 11:10 AM

Dear Customer,

Your parcel has arrived at the post office at January 21.Our courier was unable to deliver the parcel to you.

To receive your parcel, please, go to the nearest office and show this receipt.

   

GET & PRINT RECEIPT
   
Best Regards, The FedEx Team.
   
FedEx 1995-2012    
Detection rates are patchy according to VirusTotal. The ThreatExpert report is here.

Update 21: another sample, this time from [donotclick]mydrugstoreus.net/get_file.php?print_receipt=ss00_323, VirusTotal results are 16/46.

Date:      Tue, 05 Feb 2013 19:20:36 -0400
From:      "Manager David Riddle" [manager@tampa.us]
Subject:      Order Detail

FedEx    
   
Tracking ID: 4013-85911016    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
Update 22: this one downloads from [donotclick]zdsw.net/get_file.php?receipt_print=ss00_323 with VirusTotal detections at 12/46.

Date:      Wed, 06 Feb 2013 18:29:28 -0400
From:      "Manager William Burt" [service@greensboro.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 5739-64600336    
Date: Monday, 28 January 2013, 09:22 AM

Dear Client,

Your parcel has arrived at February 1.Courier was unable to deliver the parcel to you at 1 February 05:54 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013     
According to ThreatExpert, this version attempts to connect to the following IP addresses which may be worth blocking:

46.4.178.174
66.84.10.68
66.232.145.174
77.79.81.166
80.90.198.43
81.93.248.152
84.38.159.166
85.186.22.146
85.214.50.161
89.19.20.202
94.101.86.146
173.255.203.178
190.111.176.13
202.153.132.24
202.169.224.202
217.11.63.194

Update 23: this variant downloads from [donotclick]www.ocadaval.com/tmp/vsgnpg.php?receipt_print=ss00_323 with VirusTotal detections of 16/46:

From: Manager Jayden Dickson [support@santaana.us]
Date: 8 February 2013 03:33:48 CET
Subject: Tracking Info
FedEx    
   
7475-42208096     Monday, 4 January 2013, 08:24 AM

Your parcel has arrived at February 6.Courier was unable to deliver the parcel to you at 6 February 05:51 PM.
To receive your parcel, please, print this receipt and go to the nearest office.    
          Print Receipt

Best Regards, The FedEx Team.        
       
FedEx 1995-2013        
Update 24: downloading from [donotclick]www.olmuccio.com/tmp/0iuziv.php?receipt_print=ss00_323 and with VirusTotal detections of just 10/46.

Date:      Mon, 11 Feb 2013 A.D. 13:35:56 -0500
From:      "Manager Daniel Acevedo" [manager@lexington.us]
Subject:      Order Information

FedEx    
   
Tracking ID: 2803-20131928    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 25: downloading from [donotclick]www.onzeklus.com/tmp/gnnvyg.php?receipt_print=ss00_323 with VirusTotal detections at just 7/44.

Date:      Wed, 13 Feb 2013 A.D. 16:28:00 -0400
From:      "Manager William Burt" [client@wichita.us]
Subject:      Shipping Service

FedEx    
   
Tracking ID: 2890-49318193    
Date: Monday, 4 January 2013, 09:42 AM

Dear Client,

Your parcel has arrived at February 8.Courier was unable to deliver the parcel to you at 8 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
Update 26: downloading from [donotclick]www.assembleserver.net/clients/comp/mirror.php?receipt_print=ss00_323 with VirusTotal detections of just 5/46.

Date:      Fri, 15 Feb 2013 10:44:44 -0400
From:      "Manager Jayden Soto" [manager@norfolk.us]
Subject:      Shipping Info

FedEx    
   
Tracking ID: 4374-23102840    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 14.Courier was unable to deliver the parcel to you at 14 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

   

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013    
According to Anubis, the malware attempts to call home to the following IPs:
66.84.10.68
72.29.84.159
87.118.122.19
94.101.86.146
173.255.203.178

Update 27: downloading from[donotclick]/phillipsflorist.co.uk/wp-content/plugins/akismet/mirror.php?receipt=ss00_323 with a detection rate of 4/45.
Date:      Wed, 20 Feb 2013 10:00:38 -0400
From:      "Manager Mason Marsh" [service@anaheim.us]
Subject:      Order Shipped

FedEx    
   
Tracking ID: 9702-66479247    
Date: Monday, 11 February 2013, 10:22 AM

Dear Client,

Your parcel has arrived at February 18.Courier was unable to deliver the parcel to you at 18 February 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, this malware tries to call home to:
50.115.116.201
81.93.248.152
87.118.122.19
94.23.193.229
190.111.176.13
213.229.106.32



Update 28: another version, with a download site of [donotclick]www.2handhome.com/components/.ebgv3m.php?receipt=838_129704313 and a VirusTotal score of just 6/45.

Date:      Wed, 13 Mar 2013 05:54:18 -0700
From:      "Manager Liam Ortega" [support@lincoln.us]
Subject:      Tracking Information

FedEx    
   
Tracking ID: 6673-95490112    
Date: Monday, 4 March 2013, 10:22 AM

Dear Client,

Your parcel has arrived at March 7.Courier was unable to deliver the parcel to you at 7 March 06:33 PM.

To receive your parcel, please, print this receipt and go to the nearest office.

 Print Receipt
   
Best Regards, The FedEx Team.
   
FedEx 1995-2013 
According to Anubis, the malware calls home to:
87.106.51.52:8080
91.121.156.162:8080
80.67.6.226:8080
93.125.30.232:8080
174.120.225.57:8080
91.121.28.146:8080
193.23.226.15:8080


BeyondTek IT / Beyond Tek IT / beyondtekit.com spam

Here's an annoying spammer.. but who are they exactly?


From:     Nick Snow ---- BeyondTekIT Nick@beyondtekit.com
Date:     27 November 2012 10:24
Subject:     Your IT Jobs - HR

Hello:

The IT market is extremely HOT right now and there is no doubt that, there is a severe shortage of qualified, experienced IT candidates and an over-abundance of IT jobs being advertised by companies all over the country. It seems, most qualified candidates are in such high demand that they are getting multiple offers, which is making it difficult for companies to fill certain positions.

That being said please let me know if you currently have any hard-to-fill IT positions at  that we could provide candidates for. We can assist with contract, contract-to-hire/temp-to-perm, or permanent positions.

We have candidates available across all technologies and skill-sets, including (this is only a partial list):
Programmers/Developers - Java, C++, .Net, Ruby, Web, Perl, Python, PHP, ColdFusion, etc
Systems Analysts / Business Analysts
QA Engineers/Analysts/Testers
DBA's - SQL Server, Oracle, MySQL, etc
SAP Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Oracle Consultants - Technical, Functional, Techno-Functional, Analysts, Developers
Data Warehouse/Business Intelligence Developers/Engineers - ETL, SSIS, SSAS, SSRS, Cognos, etc
Project Managers
Systems Administrators - Linux, Window, etc
Executive - CIO, CTO, VP of IT, etc

PS - We have just started offering our clients a business model of hiring off-site developers, who can be your employees but working from our office in India. Please ask me for more details, and I can send you our PowerPoint presentation.

Thank you.

Nick Snow
BeyondTek IT
Tel: 714-572-1544
nick@beyondtekit.com
www.BeyondTekIT.com
The spam (and it is spam) originates from a server on 216.14.62.75 (Telepacific Communications, Los Angeles) which also hosts the beyondtekit.com and beyondtechit.com domains.

So who are BeyondTekIT? (They also spell their name Beyond Tek IT and BeyondTek IT). The WHOIS details for the beyondtekit.com (and beyondtechit.com) are no help because they are anonymised. So, perhaps their website gives a clue.. and indeed they give the following contact details:

BeyondTek IT
1057 E. Imperial Highway, Suite 509
Placentia, CA 92870

Phone: 714-572-1544
Fax:     714-364-9705

General Inquiries:                     info@beyondtekit.com
Candidate Resume Submittals: resume@beyondtekit.com
So, this is a California company. So it must be registered in the State of California? Err.. no. There is no business entity of this name. So let's check out the address.. well, that turns out to be a store called Postal Max that rents out mailboxes.

A bit of hard searching around shows that this is not a US based company at all, but is actually based in India (the email mentions an Indian connection). Their real website is at beyondtech.in and clearly mentions the maildrop address on their contact page.

The WHOIS details for this domain are:

Registrant ID:SB23414228
Registrant Name:Nishant Rastogi
Registrant Organization:One MG
Registrant Street1:23, North Boag Road, TNagar
Registrant Street2:
Registrant Street3:
Registrant City:Chennai
Registrant State/Province:Tamil Nadu
Registrant Postal Code:600017
Registrant Country:IN
Registrant Phone:+91.9444034408
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mail@onemg.in


I personally wouldn't recommend giving any personal details to spammers, and I certainly wouldn't recommend giving details to a company that seems to spend some effort to conceal who they really are. But, bear in mind that there are no anti-spam laws in India which explains the high level of Indian spam messages (think SEO spam) that we see, so under Indian law they are probably not doing anything wrong, but surely if they are trading as a California entity then they need to be registered?


"Copies of Policies" spam / ganiopatia.ru

This spam leads to malware on ganiopatia.ru:


Date:      Mon, 26 Nov 2012 02:31:10 -0500
From:      sales1@victimdomain.com
Subject:      RE: ALINA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

ALINA Prater,

==========


Date:      Mon, 26 Nov 2012 02:26:33 +0300
From:      ALISHIADBSukwQEf@aol.com
Subject:      RE: ALISHIA - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

ALISHIA Gee,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 08:42
Subject: RE: MARCELLE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.
Here is the Package and Umbrella,

and a copy of the most recent schedule.

MARCELLE SPENCE,

==========

From: accounting@victimdomain.com
Sent: 26 November 2012 07:54
Subject: RE: KASSIE - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,
and a copy of the most recent schedule.

KASSIE ROMANO,


The malicious payload is at [donotclick]ganiopatia.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)

Note that ganalionomka.ru  is also on the same cluster of servers and will also be malicious. These IP addresses have been used for malware several times, blocking access to them would be a good idea.

Friday, 23 November 2012

Malware sites to blog 23/11/12 - Part 2

Some more bad domains, closely related to this malicious spam run, spotted at the GFI blog, hosted on 192.155.83.191 (Linode, US)

192.155.83.191
5.estasiatica.com
5.finesettimana.com
5.italycook.com
5.hdsfm.com
5.eventiduepuntozero.com
5.finesettimana.net

Malware sites to block 23/11/12

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one).  The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

Malware servers:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (DirectSpace Networks, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US / Jolly Works Hosting, Philippines)

Plain list of IPs for copy-and-pasting:
50.116.16.118
64.94.101.200
69.194.194.216
70.42.74.152
94.76.235.199
173.246.103.59
173.246.103.112
173.246.103.124
173.246.103.184
173.246.104.21
174.140.168.143
198.74.52.86
209.188.0.118

Apparently malicious domains and subdomains:
50.116.16.118 (Bluehost, US)
64.94.101.200 (Nuclear Fallout Enterprises, US)
69.194.194.216 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
94.76.235.199 (Simply Transit, UK)
173.246.103.59 (Gandi, US)
173.246.103.112 (Gandi, US)
173.246.103.124 (Gandi, US)
173.246.103.184 (Gandi, US)
173.246.104.21 (Gandi, US)
174.140.168.143 (Gandi, US)
198.74.52.86 (Linode, US)
209.188.0.118 (Secured Servers, US)

1.alikeword.com
1.basicwheel.com
1.bigbroshark.net
1.blueseadolphin.net
1.callteamverve.com
1.connectedwheel.com
1.forrest-lake.info
1.killerwheel.com
1.lake-forrest.com
1.lake-forrest.info
1.lake-forrest.net
1.lowcowroller.com
1.lowcowroller.net
1.metallbeaar.net
1.rabbitharky.com
1.rabbitharky.net
1.roboxanger.net
2.5900bracknell.info
2.alikeword.com
2.allenpremierhomes.com
2.aloeups.com
2.alohevera.com
2.basicwheel.com
2.bigbroshark.net
2.blueseadolphin.net
2.boxanh.com
2.callteamverve.com
2.carrollton-realestate.com
2.connectedwheel.com
2.forrest-lake.info
2.frommyhousetoyours.com
2.killerwheel.com
2.lake-forrest.com
2.lake-forrest.info
2.lake-forrest.net
2.lowcowroller.com
2.lowcowroller.net
2.metallbeaar.net
2.pacbancwholesale.com
2.pacificbancwholesale.com
2.rabbitharky.com
2.rabbitharky.net
2.refiinc.com
2.roboxanger.net
2.taxreliefofamerica.com
2.webdedang.com
2.webdedang.net
2.wholesalepbm.com
2.zerocostfha.com
2.zfhaloan.com
3.alikeword.com
3.amandahuynh.com
3.basicwheel.com
3.bigbroshark.net
3.bluepointmortgage.com
3.blueseadolphin.net
3.callteamverve.com
3.connectedwheel.com
3.coolerpillow.com
3.directfhafunding.com
3.forrest-lake.info
3.gutterkings.biz
3.helpmemodify.com
3.insulkings.com
3.killerwheel.com
3.lake-forrest.com
3.lake-forrest.info
3.lake-forrest.net
3.lowcowroller.com
3.lowcowroller.net
3.markmatta.com
3.metallbeaar.net
3.rabbitharky.com
3.rabbitharky.net
3.roboxanger.net
4.alikeword.com
4.androidislamic.com
4.basicwheel.com
4.bigbroshark.net
4.blueseadolphin.net
4.callteamverve.com
4.collecorvino.org
4.connectedwheel.com
4.dlevo.com
4.forrest-lake.info
4.habitacoesferiasacores.com
4.icedambusters.net
4.icedambusters.org
4.insul-king.com
4.insulking.org
4.insul-king.org
4.insul-kings.org
4.islamicandroid.com
4.islamicmid.com
4.islamictab.com
4.killerwheel.com
4.lake-forrest.com
4.lake-forrest.info
4.lake-forrest.net
4.lowcowroller.com
4.lowcowroller.net
4.lowellgeneralcarjacking.com
4.lowellgeneralhospitalcarjacking.com
4.lowellgeneralhospitalcarjacking.net
4.metallbeaar.net
4.rabbitharky.com
4.rabbitharky.net
4.roboxanger.net
5.alikeword.com
5.attilacrm.com
5.basicwheel.com
5.bigbroshark.net
5.bitwin.com
5.blueseadolphin.net
5.callteamverve.com
5.connectedwheel.com
5.forrest-lake.info
5.killerwheel.com
5.lake-forrest.com
5.lake-forrest.info
5.lake-forrest.net
5.lowcowroller.com
5.lowcowroller.net
5.metallbeaar.net
5.rabbitharky.com
5.rabbitharky.net
5.roboxanger.net
6.alikeword.com
6.alohevera.com
6.basicwheel.com
6.bigbroshark.net
6.blueseadolphin.net
6.callteamverve.com
6.connectedwheel.com
6.fionabuchanan.com
6.forevergreen.us.com
6.forrest-lake.info
6.grapafood.com
6.hotels-rooms.com
6.incidentalrecruitment.com
6.killerwheel.com
6.lake-forrest.com
6.lake-forrest.info
6.lake-forrest.net
6.lowcowroller.com
6.lowcowroller.net
6.metallbeaar.net
6.negutterking.org
6.negutterkings.biz
6.negutterkings.info
6.negutterkings.net
6.negutterkings.org
6.nomoreicedams.com
6.nomoreicedams.net
6.rabbitharky.com
6.rabbitharky.net
6.roboxanger.net
7.alikeword.com
7.basicwheel.com
7.bigbroshark.net
7.blueseadolphin.net
7.callteamverve.com
7.connectedwheel.com
7.forrest-lake.info
7.killerwheel.com
7.lake-forrest.com
7.lake-forrest.info
7.lake-forrest.net
7.lowcowroller.com
7.lowcowroller.net
7.metallbeaar.net
7.rabbitharky.com
7.rabbitharky.net
7.roboxanger.net
8.alikeword.com
8.aloeventures.com
8.aloeverasoftdrinks.com
8.aloevirgin.com
8.basicwheel.com
8.bigbroshark.net
8.blueseadolphin.net
8.cafesexcelentes.com
8.callteamverve.com
8.connectedwheel.com
8.corporatemodeler.com
8.elbancodelospobres.com
8.foodex.us
8.forrest-lake.info
8.joanvaldez.com
8.killerwheel.com
8.klipette.com
8.koguis.com
8.lake-forrest.com
8.lake-forrest.info
8.lake-forrest.net
8.lowcowroller.com
8.lowcowroller.net
8.metallbeaar.net
8.rabbitharky.com
8.rabbitharky.net
8.roboxanger.net
9.alikeword.com
9.basicwheel.com
9.bigbroshark.net
9.blueseadolphin.net
9.bohmamei.com
9.boondocksdistillery.com
9.callteamverve.com
9.connectedwheel.com
9.forrest-lake.info
9.hclinstitute.com
9.i-am-a-pussy.com
9.killerwheel.com
9.lake-forrest.com
9.lake-forrest.info
9.lake-forrest.net
9.lowcowroller.com
9.lowcowroller.net
9.metallbeaar.net
9.rabbitharky.com
9.rabbitharky.net
9.roboxanger.net
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Or if you just want to block domains rather than subdomains:
alikeword.com
app-market.it
basicwheel.com
bigbroshark.com
bigbroshark.net
blueseadolphin.com
blueseadolphin.net
callteamverve.com
connectedwheel.com
forrest-lake.info
killerwheel.com
lake-forrest.com
lake-forrest.info
lake-forrest.net
lowcowroller.com
lowcowroller.net
maxiwheel.com
metallbeaar.com
metallbeaar.net
rabbitharky.com
rabbitharky.net
roboxanger.net
selfwheel.com
subwheel.com

Something evil on 5.135.192.16/30

It looks like there are a set of exploit sites in the range 5.135.192.16/30 serving up TrueType exploits (such as CVE-2011-3402) which is being pushed by a malicious URL at [donotclick]mwko.zsomteltepngs.info/40c0dee71a9b9d715539b7d56c3d5f23.eot . The potentially malicious sites in this range include:

10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
jhqp.bcodec.info
ksmuaelteory.net
mwko.zsomteltepngs.info
osmuaelteory.net
psmuaelteory.net
qfgc.hlegolaj.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zbav.hsomteltepngs.info

If you're interesting in blocking whole domains rather than subdomains then here's a list you can use:

10bloodek.info
1bloodek.info
5helnima.net
anotepad.info
asomteltepngs.info
bcodec.info
hlegolaj.net
hsomteltepngs.info
ksmuaelteory.net
osmuaelteory.net
psmuaelteory.net
qsomteltepngs.info
rsomelostell.net
shelnima.net
whelnima.net
xsomteltepngs.info
ysomteltepngs.info
zsomteltepngs.info

The netblock is controlled by OVH, but suballocated:

organisation:   ORG-AL263-RIPE
org-name:       Anton Legaev
org-type:       OTHER
address:        Ukraine, 61033, Kharkiv, Sadovo-Naveregnaja 21-1
abuse-mailbox:  angelesgower@inbox.com
phone:          +3.809287783621
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered


Blocking access to this (small) IP range and/or these domains should offer some protection, although the best bet is to make sure that your user PCs are fully patched at all times.

"Changlog 10.2011" spam / efaxinok.ru

This spam leads to malware on efaxinok.ru:

Date:      Fri, 23 Nov 2012 10:14:22 +0600
From:      "Contact" [customer-notification@ups.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog-212.htm

Good morning,

as promised changelog (Internet Explorer File)
The victim is enticed to click on the attachment which leads to a malicious payload on [donotclick]efaxinok.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66

These are the same IPs as used in this attack yesterday, and it forms part of a long-running malcious spam run which appears to have been going on forever. Of note, there's a new domain in this cluster of delemiator.ru which I haven't seen yet being used in a malicious spam run, but it probably will be.

Thursday, 22 November 2012

Facebook spam / ceredinopl.ru

This fake Facebook (or is it Habbo?) spam leads to malware on ceredinopl.ru:

Date:      Thu, 22 Nov 2012 01:30:38 -0700
From:      Habbo Hotel [auto-contact@habbo.com]
Subject:      You have notifications pending

facebook
Hi,
Here's some activity you may have missed on Facebook.
REFUGIA MERRILL has posted statuses, photos and more on Facebook.
Go To Facebook
   
See All Notifications
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303
The malicious payload is at [donotclick]ceredinopl.ru:8080/forum/links/column.php hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
208.87.243.131 (Psychz Networks, US)
216.24.196.66 (Psychz Networks, US)

The following IPs and domains are all connected:
202.180.221.186
203.80.16.81
208.87.243.131
216.24.196.66
ceredinopl.ru
investinindia.ru
hamasutra.ru
feronialopam.ru
monacofrm.ru
bamanaco.ru
ionalio.ru
investomanio.ru
veneziolo.ru
fanatiaono.ru
analunakis.ru

Malware sites to block 22/11/12

This is part of a newish cluster of malware sites being promoted through finance related spam, spotted by GFI Labs here and on this blog here.

50.61.155.86 (Fortress ITX,US)
69.194.196.5 (Solar VPS, US)
70.42.74.152 (Nuclear Fallout Enterprises, US)
173.246.103.112 (Gandi, US)
192.155.83.186 (Linode, US)
192.155.83.191 (Linode, US)
198.74.53.207 (Linode, US)

Plain list of IPs and domains for copy-and-pasting:
 5.estasiatica.com
5.chinottoneri.com
6.grapainterfood.com
6.grapaimport.com
6.grapafood.com
6.pascesoir.net
50.61.155.86
69.194.196.5
70.42.74.152
173.246.103.112
192.155.83.186
192.155.83.191
198.74.53.207

Tuesday, 20 November 2012

5.estasiatica.com / 66.228.57.248

It looks like another variant of this malicious spam run could be brewing on 5.estasiatica.com / 66.228.57.248 (Linode, US). A bit of pre-emptive blocking might be in order..

BLNX.L shares takes a dump

I've covered Blinkx (BLNX.L) before, and you can say that I'm not a fan of the company, the way it does business or its ethical stance.

So it's quite amusing to see Blinx shares take a dump and drop 10% today. Why? Because of their associate with Michael Richard Lynch, a director of Blinkx and also former CEO of Autonomy Corporation, who finds himself in the centre of a massive row with new owners HP. HP have written off 87% of the value of their acquisition over alleged false accounting practices.

Presumably BLNX.L shareholders are worried that some of the toxic effects of this meltdown will also impact them. If these as-yet unproven allegations prove true, then who knows..

"Don't forget about meeting tomorrow" spam / hamasutra.ru

This spam leads to malware on hamasutra.ru:

From: Lula Stevens [mailto:JolieWright@shaw.ca]
Sent: 20 November 2012 05:57
Subject: Don't forget about meeting tomorrow

Don't forget this report for meeting tomorrow.
See attached file. (Internet Explorer file) 

In the sample I have seen, there is an attachment called Report.htm with some obfuscated javascript leading to a malicious payload at [donotclick]hamasutra.ru:8080/forum/links/column.php hosted on the following IPs:

82.165.193.26 (1&1, Germany)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)

Plain list:
82.165.193.26
202.180.221.186
203.80.16.81
216.24.196.66

Malware sites to block 20/11/12

This summary is not available. Please click here to view the post.

Monday, 19 November 2012

"Southwest Airlines" spam / headerandfooterprebuilt.pro

This fake Southwest Airlines spam leads to malware at headerandfooterprebuilt.pro:

Date:      Mon, 19 Nov 2012 19:33:04 +0000
From:      "Southwest Airlines" [no-reply@luv.southwest.com]
To:      [redacted]
Subject:      Southwest Airlines Confirmation: 5927NI

[redacted] 2012-11-19 86KY9Z INITIAL SLC WN PHX0.00T/TFF 0.00 END AY3.50$SLC2.50 1445164773311 2013-11-22 1655 2012-11-20 Depart SAN LEONARD CITY UT (SLC) at 8:08 PM on Southwest Airlines Arrive in PHOENIX AZ (PHX) at 9:02 PM

You're all set for your traveling!
   
   
My Account | Review My Itinerary Online

   
Check Up Online | Check Flight Status | Change Flight | Special Offers | Hotel Deals | Car Deals
   
Ready for lift-off!
   
Thanks Southwest for your travel! You can find everything you need to know about your booking below. Happy voyage!
Upcoming Cruise: 11/20/12 - SLC - Phx Knight 

The malicious payload is at [donotclick]headerandfooterprebuilt.pro/detects/quality_flyes-ticket_check.php hosted on 198.27.94.80 (OVH, US). There are probably other Bad Things on that IP address, I just can't see them yet.. blocking it would be a good precaution.

"W-1" spam / 5.chinottoneri.com

This is a new one, pretending to be from the victim's HR department with tailored fake links in the email that look like they are going to the victim's own domain. Of course, floating over the links reveals that they point to some other domain entirely. A W-1 form is a tax form or some sort from the US Internal Revenue Service.

From: Administrator [mailto:administrator@victimdomain.com]
Sent: 19 November 2012 14:50
Subject: To All Employee's - Important Address UPDATE

To All Employee's:

The end of the year is approaching and we want to ensure every employee receives their W-1 to the correct address.
Verify that the address is correct - https://local.victimdomain.com/details.aspx?id=[redacted]
If changes need to be made, contact HR at https://hr.victimdomain.com/update.aspx?id=[redacted].

 Administrator,
http://victimdomaincom
In this case, the link bounces through two hacked legitimate sites to end up at [donotclick]5.chinottoneri.com/links/landing-philosophy_dry-suspende.php hosted on 50.61.155.86 (Fortress ITX, US). VirusTotal detections are pretty low. I suspect that there are many other malicious sites on this IP, blocking it would be wise.

"End of Aug. Statement Reqiured" spam / bamanaco.ru

This spam leads to malware on bamanaco.ru:

Date:      Mon, 19 Nov 2012 03:55:08 -0500
From:      ups [admin@ups.com]
Subject:      Re: FW: End of Aug. Statement Reqiured
Attachments:     Invoices-1119-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per oct. 2012 ( Internet Explorer/Mozilla Firefox file)



Regards

The malicious payload is at [donotclick]bamanaco.ru:8080/forum/links/column.php hosted on the following IPs:

203.80.16.81 (MYREN, Malaysia)
216.24.196.66 (Psychz Networks, US)

These IPs have been used to deliver malware several times recently, you should block access to them if you can.

Saturday, 17 November 2012

J. dee Edwards / jdeeedwards.com scam

I'm not even certain what this scam is, but this is certainly not legitimate:

From: J. dee Edwards j.edwards@jdeeedwards.com
Reply-To: j.edwards@jdeeedwards.com
Date: 17 November 2012 16:29
Subject: Edwards contact

Dear Colleague,

We are working with healthcare market companies which would like to hear your opinion.

We would like you to become a member of working group and share your opinion online. Please review your full name, specialty, country and language by clicking on the link http://www.jdeeedwards.com/contact.php?e=[redacted] or replying to the email.

Thank you for your time.

J. dee Edwards HRms
j.edwards@jdeeedwards.com
http://www.jdeeedwards.com

To ensure that our emails reach you, please remember to add j.edwards@jdeeedwards.com to your email address book.
We would like to remind you that J. dee Edwards is committed to safeguarding your privacy and your personal details will not be disclosed to third parties.
If you do not wish to receive please visit: http://jdeeedwards.com/unsub.php?e=[redacted]
Copyright 2012 - J. dee Edwards - 20 Broadwick Street London, UK 
Firstly, the email is sent to an address that ONLY spammers use, which is not a good sign. Secondly, the domain jdeeedwards.com has anonymous WHOIS details and was registered just over a month ago - the site is hosted on 54.247.87.188 (Amazon, Ireland) and looks like this:

This fairly badly spelled page (the title is "J. dee Edwards - Human resourcs experts") says:

J. dee Edwards
Human resources experts

We plan, direct, and coordinate the administrative functions of an organization. We oversee the recruiting, interviewing, and hiring of new staff; consult with top executives on strategic planning; and serve as a link between an organization’s management and its employees.

We are comming soon...
Now, there did used to be a company called JD Edwards, but there isn't any more, nor is there a company called J. dee Edwards anywhere in the UK.




The link in the email is some sort of signup thing, I guess it's the first part of a scam to recruit people for some sort of illegal activity.


Oddly, the email address is an "optional" component, so how are they going to contact you? Maybe it's the tracking code in the link.

Alternatively, you can reply by email and this is the third suspect thing, the mailserver is on 85.206.51.81 in Lithunia (AS8764 / LIETUVOS-TELEKOMAS). AS8764 is a pretty scummy netblock according to Google. 85.206.51.81 is also the IP address the spam was sent from.


So, a non-existent company with a month-old domain sends an email to an address only spammers use, from an email server in a dodgy part of cyberspace. Whatever this is, it is some sort of scam and is definitely best avoided.

Friday, 16 November 2012

Malware sites to block 16/11/12

Some more evil domains and IPs, connected with this spam run. (Thanks, GFI)

chelseafun.net
cosmic-calls.net
dirtysludz.com
fixedmib.net
packleadingjacket.org
performingandroidtoios.info
65.131.100.90
75.127.15.39
82.145.36.69
108.171.243.172
218.102.23.220

Thursday, 15 November 2012

Changelog spam / feronialopam.ru

This fake "Changelog" spam leads to malware on feronialopam.ru:


Date:      Thu, 15 Nov 2012 10:43:59 +0300
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Changelog 2011 update
Attachments:     changelog-12.htm

Hello,



as promised chnglog attached (Internet Explorer File)

==========



Date:      Thu, 15 Nov 2012 05:43:09 -0500
From:      Chaz Shea via LinkedIn [member@linkedin.com]
Subject:      Re: Changelog as promised(updated)
Attachments:     Changelog-12.htm

Hello,



as prmised changelog is attached (Internet Explorer File)

The malicious payload is at [donotclick]feronialopam.ru:8080/forum/links/column.php hosted on a familiar looking bunch of IP addresses that you really should block:

120.138.20.54 (Sitehost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)

Wednesday, 14 November 2012

promotesmetasearch.net promotes malware

From the WeAreSpammers blog:

This looks like a fake get-rich-quick scam email which is actually intended to distribute malware.

Originating IP is 5.39.101.233 (OVH, Germany). Spamvertised domains are 8mailer.com on 5.39.101.225 (OVH, Germany) and promotesmetasearch.net on 46.249.38.27 (Serverius Holding, Netherlands).

This last one is kind of interesting, because a) it's all in French and b) it contains a virus. The malware attempts to download an exploit kit from [donotclick]vodkkaredbuuull.chickenkiller.com/trm/requesting/requesting-pass_been_loaded.php which is kind of unfriendly, hosted on the same IP address.

The WHOIS details show a completely different name and address from the one quoted on the email:

    Florence Buker
    florence_buker05@rockfan.com
    7043 W Avenue A4
    93536 Lancaster
    United States
    Tel: +1.4219588211

Clearly the owner of promotemetasearch.net is up to no good, and I would suggest the Anthony Tomei connection might well be completely bogus.

From: Anthony Tomei admin@8mailer.com
Reply-To: info@promotesmetasearch.net
To: donotemail@wearespammers.com
Date: 14 November 2012 18:22
Subject: launch of

Dear Future Millionaire,

Making $100,000 per month is not hard. In fact, there are 2 ways you accomplish this easy task of making money in a short period of time.

The first way is to...

Click HERE for the complete article>

Anthony Tomei is an Expert Internet Network Marketer. Anthony is known as the Master Marketer and practically gives away all of his secrets, methods and marketing techniques.

This email was sent by Promotes Metasearch, 710 E. Steve Wariner Dr., Vancouver, BC g1x3h4
Click here to unsubscribe
You should probably regard the domain chickenkiller.com as compromised and blog it. Additionall, allt he following IPs and domains are related and a probably malicious.

46.249.38.21
46.249.78.23
46.249.38.27
deficiencieshiss.net
personaloverly.net
spaceyourfilesbig.chickenkiller.com
vodkkaredbuuull.chickenkiller.com
firefoxslacker.pro
personaloverly.net
wowteammy113.org
logicalforced.org
flashkeyed.org
incidentindie.org
sufficeextensible.org
laughspadstyle.org
check-update.org
softtwareupdate.org
internallycontentchecking.org
cordlesssandboxing.org
westsearch.org
perclickbank.org
trayscoffeecup.org
agreedovetails.org
commencemessengers.org
dfgs453t.org
disappointmentcontent.org
whiskeyhdx.org
uhgng43fgjl82309dfg99df1.com
rethnds732.com
odiushb327.com
a6q7.com
makosl.com
noticablyccleaner.com
leisurelyadventures.com
invitedns.com
srv50.in
flacleaderboard.in
frwdlink.in
tgy56fd3fj.firm.in
warrantynetwork.co.in
kclicksnet.in
reelshandsoff.info
scatteredavtestorg.info
ap34.pro
trafficgid.pro
stop2crimepeople.pro
huge4floorhouse.pro
exportlite.pro
weeembedding.pro
layer-grosshandel.pro
firefoxslacker.pro
s1topcrimefor.pro
opera-soft.pro
brauser-soft.pro
mp3soft.pro
pornokuca.net
licencesoftwareupda.net
settlementstored.net
licencesoftwareuppd.net
compartmentalizationwere.net
seniorhog.net
coinbatches.net
isnbreathy.net
mrautorun.ru
askedvisor.ru
srv50.biz
vimeosseeing.biz
threatwalkthrough.biz
promotemetasearch.net

Tuesday, 13 November 2012

"End of Aug. Statmeent" spam / veneziolo.ru

The spam never stops, this malicious email leads to malware at veneziolo.ru:

Date:      Tue, 13 Nov 2012 12:27:15 -0500
From:      Mathilda Allen via LinkedIn [member@linkedin.com]
Subject:      Re: End of Aug. Statmeent required
Attachments:     Invoices12-2012.htm

Good morning,

as reqeusted I give you inovices issued to you per sept. (Internet Explorer format)

Regards
The malicious payload is at [donotclick]veneziolo.ru:8080/forum/links/column.php hosted on the same IPs seen earlier today, the following IPs and domains are all related:

41.168.5.140
62.76.46.195
62.76.178.233
62.76.186.190
62.76.188.246
65.99.223.24
84.22.100.108
85.143.166.170
87.120.41.155
91.194.122.8
103.6.238.9
120.138.20.54
132.248.49.112
202.180.221.186
203.80.16.81
207.126.57.208
209.51.221.247
213.251.171.30
216.24.194.66
canadianpanakota.ru
controlleramo.ru
denegnashete.ru
forumibiza.ru
kiladopje.ru
lemonadiom.ru
limonadiksec.ru
monacofrm.ru
moneymakergrow.ru
omahabeachs.ru
peneloipin.ru
rumyniaonline.ru
uzoshkins.ru
veneziolo.ru

"Your flight" spam / monacofrm.ru

These spam email messages lead to malware on monacofrm.ru:

From: sales1@victimdomain.com [mailto:sales1@victimdomain.com]
Sent: 13 November 2012 04:04
Subject: Fwd: Your Flight A874-64581

Dear Customer,

FLIGHT NR: 1173-8627
DATE/TIME : JAN 27, 2013, 19:15 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 520.40 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.


NAOMI PATTON,

==========

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 13 November 2012 05:18
Subject: Re: Fwd: Your Flight A943-6733

Dear Customer,

FLIGHT NR: 360-6116
DATE/TIME : JAN 26, 2013, 14:12 PM
ARRIVING AIRPORT: SAN-DIEGO AIRPORT
PRICE : 997.25 USD

Your bought ticket is attached to the letter as a scan document .
To use your ticket you should print it.



Adon Walton,

==========

Date:      Tue, 13 Nov 2012 08:20:21 +0400
From:      accounting@victimdomain.com
Subject:      Re: Your Flight A230-63955
Attachments:     FLIGHT_TICKET_A04897499.htm

Dear Customer,



FLIGHT NR: 43070-0328

DATE/TIME : JAN 24, 2013, 12:19 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 323.97 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.



SHERILYN BREWER,

==========

Date:      Tue, 13 Nov 2012 02:14:56 +0700
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Your Flight A13-6235
Attachments:     FLIGHT_TICKET_A56970327.htm

Dear Customer,



FLIGHT NR: 7504-638

DATE/TIME : JAN 20, 2013, 18:10 PM

ARRIVING AIRPORT: SAN-DIEGO AIRPORT

PRICE : 089.74 USD



Your bought ticket is attached to the letter as a scan document .

To use your ticket you should print it.

ROSANA Gallo,

The malicious payload is at [donotclick]monacofrm.ru:8080/forum/links/column.php  hosted on the following IPs:

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
216.24.194.66 (Psychz Networks, US)

The Mongolian and Malaysian IPs have been used several times for malware attacks, 216.24.194.66 looks like a new one. Blocking them all would probably be prudent.

Added:

There's a Wire Transfer spam using the same payload too:

From: Amazon.com [mailto:account-update@amazon.com]
Sent: 13 November 2012 08:08
Subject: Fwd: Re: Wire Transfer Confirmation

Dear Bank Account Operator,

WIRE TRANSFER: FED8979402863338715
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

Monday, 12 November 2012

Cableforum.co.uk hacked?

Cableforum.co.uk is a popular and useful UK site about digital TV and broadband. Unfortunately, the email address list has leaked out and is being used for spamming, for example:

NatWest : Helpful Banking
Dear Valued Member ;

To prevent unauthorized access to your accounts, your online service has been temporarily locked. No further log in attempts will be accepted.
This is a procedure that automatically occur when an invalid information is submitted during the log in process.
Please follow the provided steps below to confirm your identity
and restore your online access:




https://www.nwolb.com/Brands/NWB/images/backgrounds/widepod_header_bottom_purple_login.gif
    

© Legal Info – Security
© 2005-2012 National Westminster Bank Plc 


This is a standard NatWest phish. It doesn't originate from Cableforum.co.uk or its servers, but it is sent to an address ONLY used for Cableforum, so it must have leaked out somehow.

So.. dutifully I pop across to Cableforum.co.uk and (changing my password en route) find the appropriate forum. It seems that the problem has already been spotted:

Here's one example:

So I received this email today:


Quote:
Date: Fri, 2 Nov 2012 10:15:08 -0400
From: NatWest Online [helpdesk@nwolb.com]
To: [removed]
Subject: Please Review Your Contact Details!!!


Dear Valued Member ;
To prevent unauthorized access to your accounts, your online service has been
+temporarily locked. No further log in attempts will be accepted.

..etc...
The email was sent to an address I've only used to register on Cable Forum and is a series of random characters that spammers wouldn't just 'guess'. Just wondering if anyone else has had this email? 

That's odd. That's exactly the same as me. And then there's another one:

I had two emails sent to both the addresses registered here on Cable Forum. Not sure why the earlier thread was so hastily closed?
Slightly off topic, why can I not edit my email address here?
When I attempt to change it I get this: The email address you entered is already in use. If you have forgotten your password, please click here.
I have not forgotten my password, I was trying to change it as well as my email. 

These are very precise reports from people using unique sign-on addresses. You'd think that would be pretty good evidence. So, armed with that you'd expect a concerned "we'll look into it" response. But instead the replies are:

Spammers don't "pick" anything. Their software generates emails at random and, yes, that includes strings_of_gibberish @yourdomain.

This site has not sold your email address.
This site has not been hacked, cracked or compromised.

The end.

Thread closed.
and

Threads of the same topic that have been closed should not be re-opened/re-created no matter what the circumstances are.

This issue cropped up several months ago and I will repeat what was said then...

We do not believe our systems have been compromised. There was no evidence to suggest an intrusion or breach took place. If anyone has any *Strong* Evidence to suggest other wise then contact us using the contact link below.

Thank you. 
which prompted a response from the original reporter:

The only spam I had was today, didn't have any earlier. I did get an explanation from the mod that closed it about how he didn't feel the thread was useful and that it would attract unwanted replies. But I think preventing people from discussing the issue stinks of a cover up (whether it is or not).

It would be much better to at least post a link to that thread, or some sort of explanation of what they think is happening rather than a dismissive knee-jerk response that it didn't happen when three people have claimed to receive the same email (and Osem says it happened before). All I want is an explanation about what happened and a promise that security of MY data is important but I don't feel like I'm getting that.  
What's worse is that this isn't the first time that this has been reported. Here's another one:

Today I received a not-so-subtle phishing email pretending to come from Santander, sent to my one-off email address associated with my cableforum account. I registered my account in 2009 and it's the first time I get spam/phish on this address. I don't really care if CF was hacked since I used a unique pw/email, but maybe a warning to other users would be the polite thing to do... 

But going back even further shows this thread with a lot of evidence that an email address leak has occured. One person who seems to know their stuff points:

Your database has been dumped and the damage is done as far as spam is concerned
now the question is are you

1) going to stick your head in the sand and thow around accusations
or
2) man up and fix the problem 

One of the Cableforum team shows just how far they can bury their head in the sand

But seriously, all in all, getting back to the main issue, there is about 5 people receiving it to their CF registered e-mail address and reporting it here so far. Co-incidence, yes but a very weak one. 
How many people do you think use unique emails for each site? Not many. That sort of evidence is very, very strong.. especially with multiple reports. That comment got this withering rebuke:

It's not a co-incidence at all. The emails are clearly of the same content and arrived within a small interval of each other and to CF-specific registered email addresses. If you're saying this is purely by chance and that all these email addresses were just "guessed" up by some automated program, then you're in denial.
 But another member of the CF team shows that they just don't understand it at all:

Given the extremely weak evidence provided and this appearing to only affect a very small number of members i.e less than 10, we do not believe that our systems have been breached and as a result we believe this to be the actions of brute force spamming.
Really? All these people with unique email addresses report the same spam. And it just gets dismissed?

But if you have the same problem.. forget it. All threads have been closed, creating new threads on the matter has been banned. In denial much?

Clearly there has been a problem for several months, although it isn't clear when such an address leak occurred or what data was taken with it. You should always assume that the passwords have been compromised and change it, plus change it anywhere that you re-use the same password.

Sadly, crap like this happens to good websites. And the best way to deal with it is to be honest and 'fess up so that members can act accordingly. Nobody likes to think that there site has been compromised, but in this case it clearly has been to some unknown extent.

I emailed Cableforum.co.uk to advise them (since new forum threads are banned). Let's see if I get a response..

Update: and other incidents are here and here.. so this isn't really an isolated problem.

Update 2:  predictably, raising the issue just gets the thread closed with the phrase "There is nothing to discuss and I am not interested in wild theories and stupid accusations that some how there is a cover up." Which just shows that there is a cover up..

Update 3:  and what is really ridiculous is that Cableforum mods are denying it, despite the fact that their site was recently hacked. And it isn't the first time, either.

Friday, 9 November 2012

Changelog spam / canadianpanakota.ru

This spam leads to malware on canadianpanakota.ru:

Date:      Fri, 9 Nov 2012 11:55:11 +0530
From:      LinkedIn Password [password@linkedin.com]
Subject:      Re: Changlog 10.2011
Attachments:     changelog4-2012.htm

Hello,
as promised changelog,(Internet Explorer File)
The attachment leads to a malicious payload at [donotclick]canadianpanakota.ru:8080/forum/links/column.php  hosted on the following IPs:

120.138.20.54 (SiteHost, New Zealand)
202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)


These IPs will probably be used in other attacks, blocking access to them now might be prudent. The following IPs and domains are all related:


120.138.20.54
202.180.221.186
203.80.16.81
canadianpanakota.ru
controlleramo.ru
donkihotik.ru
finitolaco.ru
fionadix.ru
forumibiza.ru
lemonadiom.ru
peneloipin.ru
moneymakergrow.ru