Sponsored by..

Thursday, 28 February 2013

usanewwork.com fake job offer

This fake job offer will be some illegal activity such as money laundering or reshipping stolen goods:

Date:      Thu, 28 Feb 2013 14:57:55 -0600
From:      andrzej.wojnarowski@[victimdomain]
Subject:      There is a vacancy of a Regional manager in USA:

If you have excellent administrative skills, working knowledge of Microsoft Office,
a keen eye for detail, well-versed in the use of social networking sites such as Twitter and Facebook,
are organized, present yourself well and are a team player with the ability to work independently,
are reliable and punctual and can understand and execute instructions are determined to work hard and succeed - we need you.

If you are interested in this job, please, send us your contact information:
Full name:
Country:
City:
E-mail:

Please email us for details: Paulette@usanewwork.com
In this case the email originated from 187.246.25.58, a Mega Cable customer in Guadalajara, Mexico. The domain is registered to an address that does not exist (there is no Pratt Avenue in Tukwila):

   Sarah Shepard info@usanewwork.com
   360-860-3630 fax: 360-860-3321
   4478 Pratt Avenue
   Tukwila WA 98168
   us

The domain was only registered two days ago on 28/2/13.


The nameservers ns1.stageportal.net and ns2.stageportal.net are shared by several other domains offering similar fake jobs:

arbeitsagentura.com
stepstonede.com
europswork.com
usanewwork.com
euroconsaltinn.com
europsconsult.com
stageportal.net

IP addresses involved are:
5.135.90.19 (OVH, France)
69.169.90.62 (Big Brain Host, US)
199.96.86.139 (Microglobe LLC, US)

This job offer is best avoided unless you like prison food.

For the record, these are the other registrant details.

stageportal.net:

      LAUREEN FREEMAN
      7538 TRADE ST.
      SAN DIEGO, CA 92121
      US
      Phone: +1.8585668488
      Email: wondermitch@hotmail.com

arbeitsagentura.com:

   Michael B. Jackson
   Michael Jackson info@arbeitsagentura.com
   909-542-7178 fax: 909-542-7311
   3832 Gordon Street
   Pomona CA 91766
   us

stepstonede.com:

   John L. Irizarry
   John Irizarry info@stepstonede.com
   858-450-8875 fax: 858-450-8811
   4808 Hamill Avenue
   San Diego CA 92123
   us

europswork.com:

   Connie J. Grooms
   Connie Grooms info@europswork.com
   626-448-5229 fax: 626-448-5211
   2815 Woodstock Drive
   El Monte CA 91731
   us

euroconsaltinn.com:

   Mamie W. Murray
   Mamie Murray info@euroconsaltinn.com
   920-245-0475 fax: 920-245-0411
   3390 Rockford Mountain Lane
   West Allis WI 53227
   us

europsconsult.com:

   Regina P. Clay
   Regina Clay info@europsconsult.com
   212-241-1581 fax: 212-241-1211
   408 Bell Street
   New York NY 10029
   us


"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary
The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru



"Follow this link" spam / sidesgenealogist.org

This rather terse spam appears to leads to an exploit kit on sidesgenealogist.org:

From: Josefina Underwood [mailto:hdFQe@heathrowexpress.com]
Sent: 27 February 2013 16:43
Subject: Follow this link

I have found it http://www.eurosaudi.com/templates/beez/wps.php?v20120226

Sincerely yours,
Sara Walton
The link is to a legitimate hacked site, and in this case it attempts to bounce to [donotclick]sidesgenealogist.org/closest/c93jfi2jf92ifj39ugh2jfo3g.php but at the time of writing the malware site appears to be overloaded. However, we can find an earlier report for the same sever here that indicates an exploit kit.

The malware is hosted on 188.93.210.226 (Logol.ru, Russia). I would recommend blocking the entire 188.93.210.0/23 range to be on the safe side. These other two domains are in the same AS and are currently active:

reinstalltwomonthold.org
nephewremovalonly.org
scriptselse.org
everflowinggopayment.net

Wednesday, 27 February 2013

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN
The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru

US Airways spam / berrybots.net

This very details but fake US Airways spam leads to malware on berrybots.net:

Date:      Wed, 27 Feb 2013 08:09:36 -0500 [08:09:36 EST]
From:      bursarp1@email-usairways.com
Subject:      Your US Airways trip

US Airways - Your Reservation

Confirmation code:   B339AO

Date issued:   Tuesday, February 26, 2013


Barcode
[redacted]
Scan at any US Airways kiosk to check in
Passenger summary
Passenger name
Frequent flyer # (Airline)
Ticket number
Special needs
Angel Morris 40614552582 (US)   22401837506661    
Robert White   12938253579871     
Fly details Download to Outlook
Depart:    Philadelphia, PA  (PHL) Chicago, IL (O'Hare)  (ORD)

Date: Thursday, February 28, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
8766   
09:38 AM   PHL
10:56 AM   ORD
2h 18m
A320
Coach
236E 236A

Return:    Chicago, IL (O'Hare)  (ORD) Philadelphia, PA   (PHL)

Date: Wednesday, March 06, 2013
Flight #/ Carrier
Depart
Arrive
Travel time
Meal
Aircraft
Cabin
Seats
4394   
11:55 AM   ORD
02:49 PM  PHL
1h 54m
A320
Coach
10A 10B
  US Airways


Total travel cost (2 passengers)
2 Adults   $667.35 USD 
Taxes and fees  $95.25 USD 

Fare total $754.61 USD   

Total   $751.62 USD

Charged to
************XXX7 (Credit or Debit Card)

Helpful links


Bags

Pay for your checked bags when you check in online or at the airport! Read more about bags.
Carry ons* Carry-on bag Personal item
All flights $0 $0
Checked bags (each way/per person)* 1st bag 2nd bag
U.S. / Canada / Latin America / Caribbean / Bermuda / South America (except Brazil) $25 $35
Transatlantic $0 $100
Transpacific / Brazil (except Hawaii) $0 $0
*Carry-ons can be up to 40 lbs and up to 45 inches and a personal item is a handbag, briefcase or laptop bag.
**1st & 2nd checked bags can be up to 50 lbs and 62 inches except Brazil where you're allowed up to 70 lbs. Europe fees apply for travel to/from Asia through Europe. Baggage fees are non-refundable.


1st, 2nd and 3rd checked bag fees waived
  • Gold, Platinum and Chairman's Preferred members
  • Star Alliance Gold status members
1st and 2nd checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Confirmed First Class and Envoy passengers
  • Active U.S. military with ID on personal travel
  • Active U.S. military with ID and dependents traveling with them on orders
  • Unaccompanied minors (with US Airways unaccompanied minor paid assistance)
1st checked bag fees waived
  • (Overweight / oversize fees still apply)
  • Silver Preferred members
  • Star Alliance Silver status members
Other guidelines:
  • Overweight/oversize fees and fees for 3 or more bags apply. Read all baggage policies.
  • If you're traveling with an infant, the child is allowed 1 fully collapsible stroller or 1 child restraint device or car seat (no charge). If you're traveling internationally with an infant in lap, your child is also allowed 1 checked bag (checked bag fees apply - max 62 in/157 cm and 50 lbs/23 kg).
  • If one or more of your flights is on a partner airline, please check with the other airline for information on optional fees.



Terms & conditions
  • Ticket is non-transferable.
  • You must contact US Airways on or before your scheduled departure to cancel any or all of your flights. If you don't, your entire itinerary will be cancelled and there may be no remaining value to use toward another ticket.
  • Any change to this reservation, including flights, dates, or cities, is subject to a fee per passenger (according to the rules of the original fare). The new itinerary will be priced at the lowest available published fare at the time of change, which may result in a fare increase.
  • Ticket expires one year from original date of issue. Unflown value expires one year from original date of issue.
  • Read more about all US Airways taxes and fees.
  • You have 24 hours to cancel your reservation for a full refund. Please view this link.
  • Checked baggage fees may apply.
  • Air transportation on US Airways is subject to the US Airways Contract of Carriage. View this document in PDF format.
  • Security regulations may require us to disclose to government agencies the data you provide to us in connection with this reservation.
  • Changes to the country of origin are not permitted, except for changes between the United States and U.S. territories.
  • Send US your compliments and/or complaints.

We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com. Please do not reply to this email, it is not monitored. If you'd like to contact us, please visit our website.

Picture version (click to enlarge):
The malicious payload is at [donotclick]berrybots.net/detects/circulation-comparatively.php (report here) hosted on:118.97.77.122 (PT Telkon, Jakarta)
147.91.83.31 (AMRES, Serbia)
195.88.139.78 (Neiron Systems, Ukraine)

Recommended blocklist:
118.97.77.122
147.91.83.31
195.88.139.78
greatfallsma.com
lazaro-sosa.com
yoga-thegame.net
dekolink.net
saberdelvino.net
berrybots.net


Tuesday, 26 February 2013

Intuit spam / forumligandaz.ru

This fake Intuit spam leads to malware on forumligandaz.ru:

Date:      Tue, 26 Feb 2013 01:27:09 +0330
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Payroll Account Holded by Intuit


Direct Deposit Service Informer
Communicatory Only

We cancelled your payroll on Tue, 26 Feb 2013 01:27:09 +0330.

    Finances would be gone away from below account # ending in 8733 on Tue, 26 Feb 2013 01:27:09 +0330
    amount to be seceded: 3373 USD
    Paychecks would be procrastinated to your personnel accounts on: Tue, 26 Feb 2013 01:27:09 +0330
    Log In to Review Operation


Funds are typically left before working banking hours so please make sure you have enough Finances accessible by 12 a.m. on the date Cash are to be seceded.

Intuit must reject your payroll by 4 p.m. Central time, two banking days before your paycheck date or your state would not be paid on time.
QuickBooks does not process payrolls on weekends or federal banking holidays. A list of federal banking holidays can be viewed at the Federal Reserve website.

Thank you for your business.

Regards,
Intuit Payroll Services

The malicious payload is at [donotclick]forumligandaz.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumvvz.ru
forumligandaz.ru

Facebook spam / lazaro-sosa.com

This fake Facebook spam leads to malware on lazaro-sosa.com:

Date:      Tue, 26 Feb 2013 14:26:20 +0200
From:      "Facebook" [twiddlingv29@informer.facebook.com]
Subject:      Brian Parker commented your photo.

facebook
   
Brian Parker commented on Your photo.
Reply to this email to comment on this photo.
See Comment
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please unsubscribe.

Facebook, Inc., Attention: Department 415, PO Box 10001, Palo Alto, CA 90307
The malicious payload is at [donotclick]lazaro-sosa.com/detects/queue-breaks-many_suffering.php (report here) hosted on:

118.97.77.122 (PT Telkom, Indonesia)
147.91.83.31 (AMRES, Serbia)

Blocking these IPs is probably prudent.

Monday, 25 February 2013

"TrustKeeper Vulnerabilities Scan Information" spam / saberdelvino.net

Well this is new.. this "TrustKeeper Vulnerabilities Scan Information" spam leads to an exploit kit on saberdelvino.net:

From: Trustwave [porosity@e.trustwave.com]
Date: 25 February 2013 17:09
Subject: TrustKeeper Vulnerabilities Scan Information

To view this email as a web page, go here.

view email in a web browser
[redacted]
 

This is an auto-generated report to notice you that the scheduled TrustKeeper vulnerability scan of YOUR NETWORK SYSTEMS has completed and is not compliant.

IMPORTANT: During the scan, TrustKeeper Identified  some Vulnerabilities. Trustwave strongly recommends you review these findings as your overall PCI DSS compliance status may be affected.

TrustKeeper generated a vulnerability scan report. You may view these results by accessing TrustKeeper at:

    https://secure.trustwave.com
    User Name:[redacted]

You will receive an e-mail confirmation when the scan completes and your results are available.   Please note that this can take up to three days.

Note: If you monitor your network for activity, note that the TrustKeeper scan may originate from IP addresses in these ranges:

206.10.209.0/24
62.36.233.0/24

TrustKeeper is a certified remote assessment and compliance solution created by Trustwave and designed to help merchants meet the PCI DSS and achieve compliance with the associated programs of Visa®, MasterCard®, American Express®, Discover®, and other credit card associations. The TrustKeeper solution is an integrated easy-to-use tool that removes the challenge of navigating the complex PCI DSS requirements and provides a "one stop shop" for merchants to certify compliance.    

PLEASE DON'T REPLY TO THIS MESSAGE VIA EMAIL.
This mail is sent by an automated message system and the reply will not be received. Thank you for using TrustKeeper.

This email was sent to: [redacted]

This email was sent by: Trustwave
80 West Madison Street, Suite 1080, Chicago, IL, 60707, USA

We respect your right to privacy - view our policy
   

MANAGE SUBSCRIPTIONS           |            UPDATE PROFILE              |          ONE-CLICK UNSUBSCRIBE


The malicious payload is at [donotclick]saberdelvino.net/detects/random-ship-members-daily.php (report here) hosted on the following IPs:

118.97.77.122 (PT Telekon, Indonesia)
176.120.38.238 (Langate, Ukraine)

Blocklist:
118.97.77.122
176.120.38.238
greatfallsma.com
yoga-thegame.net
dekolink.net
saberdelvino.net
betheroot.net


Friday, 22 February 2013

LinkedIn spam / greatfallsma.com and yoga-thegame.net

This "accidental" LinkedIn spam is a fake and leads to malware on greatfallsma.com:

From: LinkedIn [mailto:papersv@informer.linkedin.com]
Sent: 22 February 2013 15:58
Subject: Reminder about link requests pending

See who connected with you this week on LinkedIn
Now it's easy to connect with people you email
Continue
 
This is an accidental LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
 
© 2013, LinkedIn Corporation. 2089 Stierlin Ct, Mountain View, CA 99063
Another example:

Date:      Fri, 22 Feb 2013 18:21:25 +0200
From:      "LinkedIn" [noblest00@info.linkedin.com]
Subject:      Reminder about link requests pending

�����

[redacted]
See who requested link with you on LinkedIn

Now it's easy to connect with people you email
Continue
   
This is an casual LinkedIn Marketing email to help you get the most out of LinkedIn. Unsubscribe
� 2013, LinkedIn Corporation. 2073 Stierlin Ct, Mountain View, CA 98043


The malicious payload is at [donotclick]greatfallsma.com/detects/impossible_appearing_timing.php (report here) hosted on:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

These are the same two servers used in this attack, blocking them would probably be a good idea.

UPDATE: the malicious domain yoga-thegame.net is also on the same servers (report here)

"Data Processing" spam / dekolink.net

This fake "Data Processing" spam leads to malware on dekolink.net:


Date:      Fri, 22 Feb 2013 08:06:43 -0500
From:      "Data Processing Service" [customersupport@dataprocessingservice.com]
Subject:      ACH file ID '768.579

Files Processing Service

SUCCESS Note
We have successfully handled ACH file 'ACH2013-02-20-5.txt' (id '768.579') submitted by user '[redacted]' on '2013-02-20 1:14:30.7'.
FILE SUMMARY:

Item count: 79

Total debits: $28,544.53

Total credits: $28,544.53

For more info click here

The malicious payload is at [donotclick]dekolink.net/detects/when-weird-contrast.php (report here) hosted on the following servers:

50.7.251.59 (FDC Servers, Czech Republic)
176.120.38.238 (Langate, Ukraine)

"End of Aug. Stat." spam / forummersedec.ru

This fake invoice email leads to malware on forummersedec.ru:

Date:      Fri, 22 Feb 2013 11:33:38 +0530
From:      AlissonNistler@[victimdomain]
Subject:      Re: FW: End of Aug. Stat.
Attachments:     Invoices-1207-2012.htm

Hallo,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer/Mozilla Firefox file)

Regards


The attachment attempts to redirect the victim to a malicious payload at [donotclick]forummersedec.ru:8080/forum/links/column.php (report here) hosted on

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)

The following IPs and domains are related and should be blocked:
84.23.66.74
122.160.168.219
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
familanar.ru
faneroomk.ru
filialkas.ru
finalions.ru
forummersedec.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

Thursday, 21 February 2013

"Scan from a Xerox WorkCentre Pro" spam / familanar.ru

This familiar printer spam leads to malware on the familanar.ru domain:

Date:      Thu, 21 Feb 2013 09:22:25 -0500 [09:22:25 EST]
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Re:  Scan from a Xerox WorkCentre Pro #800304

A Document was sent to you using a XEROX WorkJet PRO 760820.

SENT BY : BRYNN
IMAGES : 5
FORMAT (.JPEG) DOWNLOAD
The malicious payload is at [donotclick]familanar.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

Which are the same IPs found in this attack and several others. Block 'em if you can.

ACH transaction spam / payment receipt - 884993762994.zip

This fake ACH transaction spam comes with a malicous attachment:

Date:      Thu, 21 Feb 2013 14:32:08 -0500 [14:32:08 EST]
From:      Payment notification system [homebodiesga38@gmail.com]
Subject:      Automatic transfer notification

ACH transaction is completed. $443 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Receipt on payment is attached.

*** This is an automatically generated email, please do not reply *** 
Attached is a file called payment receipt - 884993762994.zip which unzips to payment receipt - 884993762994.exe which has a disappointing VirusTotal detection count of just 14/46. Automated analysis tools are inconclusive.

Blocking EXE-in-ZIP files at the perimeter generally causes very little trouble, assuming you can do it..

"Efax Corporate" spam / fuigadosi.ru

This fake eFax spam leads to malware on fuigadosi.ru:

Date:      Thu, 21 Feb 2013 -05:24:35 -0800
From:      LinkedIn Password [password@linkedin.com]
Subject:      Efax Corporate
Attachments:     EFAX_Corporate.htm



Fax Message [Caller-ID: 705646877]

You have received a 29 pages fax at Thu, 21 Feb 2013 -05:24:35 -0800, (913)-809-4198.

* The reference number for this fax is [eFAX-806896385].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]fuigadosi.ru:8080/forum/links/column.php (report here) hosted on:

84.23.66.74 (EUserv Internet, Germany)
122.160.168.219 (Trackon Couriers, India)
210.71.250.131 (Chungwa Telecom, China)

The following domains and IPs are malicious and should be blocked:
84.23.66.74
122.160.168.219
210.71.250.131
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
faneroomk.ru
finalions.ru
fuigadosi.ru
fulinaohps.ru
fzukungda.ru

ADP Spam / faneroomk.ru

This fake ADP spam tries (and fails) to lead to malware on faneroomk.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn
Sent: 20 February 2013 20:02
Subject: ADP Immediate Notification

ADP Immediate Notification
Reference #: 001737199

Thu, 21 Feb 2013 02:01:39 +0600
Dear ADP Client

Your Transfer Record(s) have been created at the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please see the following notes:
•    Please note that your bank account will be debited within one banking business day for the amount(s) shown on the report(s).
•    Please do not respond or reply to this automated e-mail. If you have any questions or comments, please Contact your ADP Benefits Specialist.

This note was sent to acting users in your system that approach ADP Netsecure.

As usual, thank you for choosing ADP as your business affiliate!

Ref: 890911798


HR. Payroll. Benefits.
The ADP logo and ADP are registered trademarks of ADP, Inc.
In the business of your success is a service mark of ADP, Inc.
© 2013 ADP, Inc. All rights reserved.

The malicious payload is meant to be [donotclick]faneroomk.ru:8080/forum/links/column.php but right at the moment it is not resolving.

We can perhaps do a little digging around to see what's going on here. The WHOIS details show the notorious Russian "Private Person".

whois -h whois.ripn.net faneroomk.ru ...
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain:        FANEROOMK.RU
nserver:       ns1.faneroomk.ru. 41.168.5.140
nserver:       ns2.faneroomk.ru. 110.164.58.250
nserver:       ns3.faneroomk.ru. 210.71.250.131
nserver:       ns4.faneroomk.ru. 203.171.234.53
nserver:       ns5.faneroomk.ru. 184.106.195.200
state:         REGISTERED, NOT DELEGATED, UNVERIFIED
person:        Private Person
registrar:     NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created:       2013.02.17
paid-till:     2014.02.17
free-date:     2014.03.20
source:        TCI

Last updated on 2013.02.21 17:16:40 MSK

Anyway. it's probably a good idea to block the domain and those NS IPs. The following IPs and domains are all related:


41.168.5.140
110.164.58.250
184.106.195.200
210.71.250.131
203.171.234.53
faneroomk.ru
fzukungda.ru
famagatra.ru
emmmhhh.ru
errriiiijjjj.ru
faneroomk.ru
ejjiipprr.ru
finalions.ru
fulinaohps.ru
eiiiioovvv.ru


Wednesday, 20 February 2013

Verizon Wireless spam / participamoz.com

This fake Verizon Wireless spam leads to malware on participamoz.com:


Date:      Wed, 20 Feb 2013 23:24:49 +0400
From:      "AccountNotify@verizonwireless.com" [cupcakenc0@irs.gov]
Subject:      Verizon wireless online bill.
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $48.15
Scheduled Automatic Payment Date: 02/25/2012
Mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> Review and Pay Your Bill

Thank you for choosing Verizon Wireless.

My Verizon is also available 24/7 to assist you with:
Vrowsing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...

2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 190WVB | Basking Ridge, NJ 07990
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.
The malicious payload is at [donotclick]participamoz.com/detects/holds_edge.php (report here) hosted on:
161.200.156.200 (Chulanet, Thailand)
173.251.62.46 (MSP Digital / Cablevision, US)

The following IPs and domains are connected should be treated as malicious:
161.200.156.200
173.251.62.46
prosctermobile.com
aftandilosmacerati.com
pardontemabelos.com
participamoz.com

   

SendSecure Support spam / secure_message_02202013_01590106757637303.zip

This fake SendSecure Support / Bank of America spam comes with a malicious attachment called secure_message_02202013_01590106757637303.zip:

Date:      Wed, 20 Feb 2013 11:23:43 -0400 [10:23:43 EST]
From:      SendSecure Support [SendSecure.Support@bankofamerica.com]
Subject:      You have received a secure message from Bank Of America

You have received a secure message.

Read your secure message by opening the attachment. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it.

If you have concerns about the validity of this message, please contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.bankofamerica.com/websafe/help?topic=Envelope
The zip file secure_message_02202013_01590106757637303.zip unzips into secure_message_02202013_01590106757637303.exe with a VirusTotal detection rate of 6/46. According to ThreatExpert, the malware installs a keylogger and also tries to phone home to:

blog.ritual.ca
dontgetcaught.ca

These sites are hosted on 74.208.148.35 which I posted about yesterday. Blocking access to this IP might mitigate against this particular threat somewhat.



"Wire transfer" spam / fulinaohps.ru

This fake wire transfer spam leads to malware on fulinaohps.ru:

Date:      Wed, 20 Feb 2013 04:28:14 +0600
From:      accounting@[victimdomain]
Subject:      Fwd: ACH and Wire transfers disabled.

Dear Online Account Operator,

Your ACH transactions have been
temporarily disabled.
View details

Best regards,
Security department
The malicious payload is at [donotclick]fulinaohps.ru:8080/forum/links/column.php (report here) hosted om the following IPs:

84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Internet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

These are the same IPs as used in this attack, you should block them if you can.

famagatra.ru injection attack in progress

There seems to be an injection attack in progress, leading visitors to hacked website to a malicious page on the server famagatra.ru.

The payload is at [donotclick]famagatra.ru:8080/forum/links/public_version.php?atd=1n:33:2v:1l:1h&qav=3j&yvxhqg=1j:33:32:1l:1g:1i:1o:1n:1o:1i&jehmppj=1n:1d:1f:1d:1f:1d:1j:1k:1l (report here) which is basically a nasty dose of Blackhole.


84.23.66.74 (EUserv Internet, Germany)
195.210.47.208 (PS Inernet Company, Kazakhstan)
210.71.250.131 (Chungwa Telecom, Taiwan)

The following domains are IPs are all part of the same evil circus:
84.23.66.74
195.210.47.208
210.71.250.131
efjjdopkam.ru
eiiiioovvv.ru
eipuonam.ru
ejiposhhgio.ru
ejjiipprr.ru
emaianem.ru
emalenoko.ru
eminakotpr.ru
emmmhhh.ru
enakinukia.ru
epilarikko.ru
epionkalom.ru
errriiiijjjj.ru
esigbsoahd.ru
estipaindo.ru
ewinhdutik.ru
exiansik.ru
exibonapa.ru
famagatra.ru
finalions.ru