Sponsored by..

Thursday, 30 May 2013

Amazon.com 55 inch TV spam / ozonatorz.com

This earlier spam run about various brands of 55 inch TVs from Amazon has been updated and is now directing victims to a malware landing page on the domain ozonatorz.com:



From: auto-confirm@emlreq.amazon.com [mailto:bald4@customercare.amazon.com]
Sent: 29 May 2013 17:06
To: [redacted]
Subject: Amazon.com order of Akai NPK55KR9070 55-Inch

Amazon.com

Order Confirmation

[redacted]

Thank you for shopping with us. Wed like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.


Your estimated delivery date is:
Thursday, May 30, 2013 -
Friday, May 31, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Benjamin Phillips
2724 3rdCotton Avenue
Cohoes, CA 62229-6646
United States


Order Details

Order #175-7801666-2934626
Placed on Wensday, May 29, 2013

Facebook
Twitter
Pinterest
$979.98

Item Subtotal:
$979.98
Shipping & Handling:
$0.00

Total Before Tax:
$979.98
Estimated Tax:
$0.00


Order Total:
$979.98


To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.


The malicious payload is on [donotclick]ozonatorz.com/news/basic_dream-goods.php (report here) hosted on:
41.89.6.179 (Kenya Education Network, Kenya)
141.28.126.201 (Hochschule Furtwangen, Germany)
177.5.244.236 (Brasil Telecom, Brazil)
208.68.36.11 (Digital Ocean, US)

These IPs form part of a much larger network of malicious sites listed here, but if we concentrate of these IPs only we get the following blocklist:
41.89.6.179
141.28.126.201
177.5.244.236
208.68.36.11
aviachecki.ru
avtotracki.ru
balckanweb.com
biati.net
buyparrots.net
federal-credit-union.com
giwmmasnieuhe.ru
icensol.net
mydkarsy.com
nvufvwieg.com
ozonatorz.com
rusistema.ru
smartsecurityapp2013.com
techno5room.ru
testerpro5.ru
trackerpro5.ru
twintrade.net
zeouk-gt.com

Wednesday, 29 May 2013

University of Illinois CS department compromised

There's a bunch of malware sites infesting University of Illinois CS department machines in the 128.174.240.0/24, range, mostly pointed out in this post. Compromised machines are tarrazu.cs.uiuc.edu, croft.cs.illinois.edu, tsvi-pc.cs.uiuc.edu, mirco.cs.uiuc.edu, ytu-laptop.cs.uiuc.edu, node3-3105.cs.uiuc.edu and they are on the following IPs with the following malicious domains (I would recommend blocking the whole /24):

128.174.240.37
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

128.174.240.52
nvufvwieg.com
zeouk-gt.com
mydkarsy.com
trackerpro5.ru
avtotracki.ru
aviachecki.ru
techno5room.ru
getstatsp.ru

128.174.240.53
enway.pl

128.174.240.74
yelpwapphoned.com
streetgreenlj.com
crossdissstep.com
multipliedfor.com
sweetcarsinkas.at
roobihhooerses.at
stackltiplied.net
nitrogrenberd.net
salesplaytime.net
sludgekeychai.net
uestsradiates.net
smurfberrieswd.su
jounglehoodeze.su
sbliteratedtum.su
solidlettersiz.su

128.174.240.153
confideracia.ru
condalinaradushko.ru
pizdecnujzno.ru
ochengorit.ru
xenaidaivanov.ru

128.174.240.213
balckanweb.com
virgin-altantic.net
twintrade.net
biati.net
icensol.net
outlookexpres.net
gatareykahera.ru
curilkofskie.ru
exrexycheck.ru
gangrenablin.ru
contonskovkiys.ru

Update: the University says that this was a single machine on the network which has now been cleaned up.

Malware sites to block 29/5/13

These domains and IP addresses are connected to this malware spam run and belong to a group I call the "Amerika" gang (because they tend to use fake US addresses for their WHOIS details but really seem to be Russian).

It's quite a long set of lists: first there is a list of malware domains, then a list of malicious IPs and their web hosts, followed by a plain recommended blocklist list of IPs for copy-and-pasting, finally a list of IPs that are advertised as nameservers within this group for research purposes only.

You might notice something odd going on at the University of Illinois in the 128.174.240.0/24 range. Hmm..

Domains:
adverstindotanes.com
assumedwhacked.su
auditbodies.net
autocanonicals.com
aviachecki.ru
avtotracki.ru
balckanweb.com
bebomsn.net
bednotlonely.com
beveragerefine.su
biati.net
businessdocu.net
buyparrots.net
carambatv.net
chairsantique.net
cocainism.net
condalinaradushko.ru
condalinaradushko5.ru
condalinradishevo.ru
confideracia.ru
coping-capacity.com
crossdissstep.com
crushandflussh.net
curilkofskie.ru
decimallogme.com
docudat.ru
doorandstoned.com
down-vid.net
e-eleves.net
ernutkskiepro.ru
exrexycheck.ru
fastkrug.ru
federal-credit-union.com
fenvid.com
flipboardre-late.com
gangrenablin.ru
garohoviesupi.ru
getstatsp.ru
ghroumingoviede.ru
giwmmasnieuhe.ru
heavygear.net
heidipinks.com
hiddenhacks.com
hotamortisation.net
iberiti.com
icensol.net
independinsy.net
initiationtune.su
insectiore.net
jounglehoodeze.su
letsgofit.net
linguaape.net
metalcrew.net
mgdooling.ru
mortolkr4.com
multipliedfor.com
mydkarsy.com
myfreecamgirls.net
nitrogrenberd.net
normansvenn.com
notyetratedwort.com
nvufvwieg.com
ochengorit.ru
otoperhone.com
outbounduk.net
outlookexpres.net
peertag.com
penetratedsync.su
pizdecnujzno.ru
proxy-tor-service.com
recorderbooks.net
relectsdispla.net
reportingglan.com
restaurantequipmentparadise.net
roobihhooerses.at
rusistema.ru
salesplaytime.net
sbliteratedtum.su
scanskype.pl
secrettapess.com
secureaction120.com
sludgekeychai.net
smartsecurity-app.com
smartsecurityapp2013.com
smurfberrieswd.su
solidlettersiz.su
stackltiplied.net
streetgreenlj.com
streetlookups.com
susubaby.net
sweetcarsinkas.at
tasteh-pux.com
techno5room.ru
testerpro5.ru
timeschedulin.com
time-update.com
time-update.net
trackerpro5.ru
twintrade.net
uestsradiates.net
usergateproxy.net
virgin-altantic.net
xenaidaivanov.ru
yelpwapphoned.com
zeouk-gt.com
zoohits.net

IPs and hosts:
5.175.155.183 (GHOSTnet, Germany)
37.131.214.69 (Interra Ltd, Russia)
41.89.6.179 (Kenya Education Network, Kenya)
42.62.29.4 (Forest Eternal, China)
50.193.197.178 (Comcast, US)
54.214.22.177 (Amazon AWS, US)
62.109.30.168 (TheFirst-RU, Russia)
77.237.190.22 (Parsun Network Solutions, Iran)
82.50.45.42 (Telecom Italia, Italy)
91.93.151.127 (Global Iletisim Hizmetleri, Turkey)
91.193.75.55 (KGB Hosting, Serbia)
94.249.208.228 (GHOSTnet, Germany)
95.43.161.50 (BTC, Bulgaria)
99.61.57.201 (AT&T, US)
103.7.251.36 (Fiberathome, Bangladesh)
109.169.64.170 (ThrustVPS, US)
112.196.2.39 (Quadrant Televentures / HFCL Infotel, India)
114.4.27.219 (Indosat, Indonesia)
114.247.121.139 (China Unicom, China)
115.28.35.163 (HiChina Web Solutions, China)
122.160.51.9 (ABTS, Delhia)
128.174.240.37 (University of Illinois, US)
128.174.240.52 (University of Illinois, US)
128.174.240.74 (University of Illinois, US)
128.174.240.153 (University of Illinois, US)
128.174.240.213 (University of Illinois, US)
140.117.164.154 (Sun Yat-sen University, Taiwan)
151.1.224.118 (Itnet, Italy)
159.253.18.253 (FastVPS, Russia)
162.209.12.86 (Rackspace, US)
166.78.136.235 (Rackspace, US)
177.5.244.236 (Brasil Telecom, Brazil)
178.20.231.214 (Salay Telekomunikasyon Ticaret Limited, Turkey)
178.209.126.87 (WestCall Ltd, Russia)
181.52.237.17 (Telmex, Colmbia)
183.82.221.13 (Hitech, India)
186.215.126.52 (Global Village Telecom, Brazil)
188.32.153.31 (National Cable Networks, Russia)
190.106.207.25 (Comcel, Guatemala)
192.154.103.81 (Gorillaservers, US)
192.210.216.53 (ColoCrossing, US)
197.246.3.196 (The Noor Group, Egypt)
201.65.23.153 (Comercial 15 De Novembro Ltda, Brazil)
201.170.148.171 (Telefonos del Noroeste, Mexico)
204.45.7.213 (FDCservers.net, US)
208.68.36.11 (Digital Ocean, US)
210.61.8.50 (Chunghwa Telecom, Taiwan)
212.179.221.31 (Bezeq International, Israel)
213.113.120.211 (Telenor, Sweden)
217.174.211.1 (Agarik SA, France)
222.200.187.83 (Sun Yat-sen University, China)

Recommended IP blocklist:
5.175.155.183
37.131.214.69
41.89.6.179
42.62.29.4
50.193.197.178
54.214.22.177
62.109.28.0/22
77.237.190.0/24
82.50.45.42
91.93.151.127
91.193.75.0/24
94.249.208.228
95.43.161.50
99.61.57.201
103.7.251.36
109.169.64.170
112.196.2.39
114.4.27.219
114.247.121.139
115.28.35.163
122.160.51.9
128.174.240.0/24
140.117.164.154
151.1.224.118
159.253.18.0/24
162.209.12.86
166.78.136.235
177.5.244.236
178.20.231.214
178.209.126.87
181.52.237.17
183.82.221.13
186.215.126.52
188.32.153.31
190.106.207.25
192.154.103.81
192.210.216.53
197.246.3.196
201.65.23.153
201.170.148.171
204.45.7.213
208.68.36.11
210.61.8.50
212.179.221.31
213.113.120.211
217.174.211.1
222.200.187.83

IPs advertising as nameservers (I'm pretty sure some of these are bogus, so use these for research purposes only):
2.121.229.200 (Sky Broadband, UK)
5.175.146.153 (GHOSTnet, Germany)
5.175.154.17 (GHOSTnet, Germany)
5.175.154.149 (GHOSTnet, Germany)
5.231.18.4 (GHOSTnet, Germany)
6.18.199.178 (Department of Defense, US)
6.20.13.25 (Department of Defense, US)
8.13.139.1 (Level 3 Communications, US)
8.18.19.15 (Level 3 Communications, US)
8.18.19.16 (Level 3 Communications, US)
11.3.51.158 (Department of Defense, US)
12.179.132.98 (Intuit, US)
14.139.209.13 (National Institute Of Technology, India)
15.78.78.23 (Hewlett Packard, US)
15.84.23.131 (Hewlett Packard, US)
17.19.12.100 (Apple Inc, US)
20.2.45.143 (CSC, US)
22.100.28.100 (Department of Defense, US)
29.125.31.77 (Department of Defense, US)
42.96.142.17 (Alibaba, China)
42.96.194.13 (Alibaba, China)
46.254.18.79 (Internet-Hosting Ltd, Russia)
65.34.1.1 (RoadRunner / Bright House, US)
65.180.199.2 (Sprint, US)
66.100.109.112 (Savvis, US)
71.123.11.14 (Verizon, US)
77.99.44.18 (Virgin Media, UK)
80.249.65.80 (Djaweb, Algeria)
81.31.227.60 (Chapar Raseneg, Iran)
85.25.189.163 (Intergenia / PlusServer AG, Germany)
91.215.156.62 (Infinite Technologies, Netherlands)
91.242.214.33 (Hostcircle, India)
92.190.190.191 (France Telecom, France)
95.143.41.41 (Inline Internet / VPS4less, Germany)
112.72.64.217 (VTC Wireless Broadband Company, Vietnam)
114.199.141.85 (Hyundai Communications, Korea)
125.39.104.86 (Beijing Sinainternetinformationservice, China)
153.127.248.205 (Kagoya Japan Corporation, Japan)
162.209.14.28 (Rackspace, US)
173.1.12.57 (GoGrid LLC, US)
175.102.0.187 (Shanghai Yovole Networks, China)
176.19.224.180 (Mobily, Saudi Arabia)
177.5.230.242 (Brasil Telecom, Brazil)
184.106.229.74 (Rackspace, US)
186.25.27.65 (Telcel, Venezuela)
186.25.27.66 (Telcel, Venezuela)
201.101.98.89 (UniNet, Mexico)
202.63.105.86 (Southern Online Bio Technologies, India)
202.93.114.90 (FirstasiaNet, Indonesia)
207.58.158.186 (Servint, US)
207.182.146.247 (Xlhost, US)
209.140.18.37 (Landis Holdings, US)
210.25.137.197 (China Education and Research Network, China)
211.20.45.138 (Chunghwa Telecom, Taiwan)
214.191.12.134 (Department of Defense, US)
214.191.102.34 (Department of Defense, US)


55-Inch TV Amazon.com spam / federal-credit-union.com

This fake Amazon.com spam leads to malware on federal-credit-union.com:


From:     auto-confirm@email.amazon.net [loyolay3@emalsrv.amazonmail.com]
Reply-To:     "auto-confirm@email.amazon.net" [loyolay3@emalsrv.amazonmail.com]
Date:     29 May 2013 16:55
Subject:     Amazon.com order of Samsung UN554X6050 55-Inch

Amazon.com  |  Your Account  |  Amazon.com

Order Confirmation

Order #134-8080453-8538443

[redacted]

Thank you for shopping with us. We’d like to let you know that Amazon has received your order, and is preparing it for shipment. Your estimated delivery date is below. If you would like to view the status of your order or make any changes to it, please visit Your Orders on Amazon.com.
Your estimated delivery date is:
Thursday, May 30, 2013 -
Friday, May 31, 2013
Your shipping speed:
Next Day Air
Your Orders
Your order was sent to:
Tyler Scott
2516 Columbia Dr
Washington, WA 40830-9361
United States

Order Details

Order #134-8080453-8538443
Placed on Wensday, May 29, 2013
Samsung UN554X6050 55-Inch 1080p 120Hz LED 3D HDTV (Dark Grey)
Electronics
In Stock
Sold by World Wide Stereo, Inc.
$1,099.99
Item Subtotal: $1,099.99
Shipping & Handling: $0.00
Total Before Tax: $1,099.99
Estimated Tax: $0.00
Order Total: $1,099.99
To learn more about ordering, go to Ordering from Amazon.com.
If you want more information or need more assistance, go to Help.
Thank you for shopping with us.
Amazon.com
DVD
Books
Unless otherwise noted, items are sold by Amazon.com LLC and taxed if shipped to Kansas, North Dakota, New York, Kentucky or Washington. If your order contains one or more items from an Amazon.com partner it may be subject to state and local sales tax, depending on the state to which the item is being shipped. Learn more about tax and seller information.
This email was sent from a notification-only address that cannot accept incoming email. Please do not reply to this message.
I have also seen a similar spam with the subject "Amazon.com order of Sharp UN55EH5080 55-Inch" and I guess there are others. The spam goes through a legitimate hacked site and ends up on [donotclick]federal-credit-union.com/news/basic_dream-goods.php (report here). Luckily right at the moment this domain is suspended and won't work, however. There is a very large number of connected domains though which I am compiling a blocklist for and will post later..

Update: some other subjects include "Amazon.com order of Panasonic UN55EH6030 55-Inch" and "Amazon.com order of Akai NPK55KR9070 55-Inch".

Update 2: the malicious landing page has been replaced  with one using the domain ozonatorz.com.

Tuesday, 28 May 2013

Something (a bit) evil on 158.255.212.96 and 158.255.212.97

The IPs 158.255.212.96 and 158.255.212.97 (EDIS GmbH, Austria) are hosting malware used in injection attacks (see this example for fussball-gsv.de). These two examples report a TDS URL pattern which is resistant to automated analysis. The domains appear to be part of a traffic exchanger system (never a good idea), but they have been used to distribute malware.

The following sites are hosted on those two domains, plus a link to the Google Safebrowsing diagnostics:
linkstoads.net [no malware reported]
node1.hostingstatics.org [malware reported]
node2.hostingstatics.org
nodeph.hostingstatics.org
numstatus.com [no malware reported]
systemnetworkscripts.org [no malware reported]
finger2.climaoluhip.org [malware reported]
connecthostad.net [malware reported]
netstoragehost.com [malware reported]
nethostingdb.com [no malware reported]

In the cases where no malware has been reported it may well be because Google hasn't visited the site. The domains all have anonymous WHOIS details and have been registered in the past year or so.

I can identify a couple more IPs in this cluster, and I would advise you to treat all the domains here as suspect and add them to your blocklist:
158.255.212.96
158.255.212.97
193.102.11.3
205.178.182.1
hostingstatics.org
climaoluhip.org
numstatus.com
linkstoads.net
systemnetworkscripts.org
connecthostad.net
netstoragehost.com
nethostingdb.com

fab.com spam

[Via the WeAreSpammers blog]

I've never heard of fab.com before, but online comments are very negative.  Originating IP is 65.39.215.63 (Sailthru / Peer 1, US) spamvertising mailer.eu.fab.com on 63.251.23.249 (Insight Express LLC, US) which in turn leads to the main site of fab.com on 184.73.196.153 (Amazon.com, US). Avoid.

From: Fab [info@eu.fab.com]
To: donotemail@wearespammers.com
Date: 27 May 2013 17:26
Subject: Invite from jenotsxx@gmail.com to Fab
Mailing list: tm.3775.3198a5cdc7466d097e36916b482cde87.sailthru.com
Signed by: eu.fab.com

 
         

If you are unable to see this message, click here to viewTo ensure delivery to your inbox, please add info@eu.fab.com to your address book.

Smile,

Great News!donotemail@wearespammers.com
Here's your exclusive invite from jenotsxx@gmail.com to join FabFab provides daily design inspirations and sales from the world's leading designers at prices up to 70% off retail.









About Help Contact Us Return Policy Shipping Terms Privacy tw fb

Monday, 27 May 2013

Citibank spam / Statement 57-27-05-2013.zip

This fake Citibank email has a malicious attachment:

Date:      Mon, 27 May 2013 23:25:06 +0530 [13:55:06 EDT]
From:      Millard Hinton [leftoverss75@gmail.com]
Subject:      Merchant Statement

Enclosed (xlsx|Exel file|document|file) is your Citibank Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Citibank Paymentech.
Citibank Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Citibank Paymentech's or the Merchant's email service or otherwise. Citibank Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Citibank Paymentech Solutions, LLC payment processing services at Citibank.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 

The attachment Statement 57-27-05-2013.zip contains a malicious executable Statement 57-27-05-2013.exe with a VirusTotal result of 12/46. The Comodo CAMAS report and Anubis report are pretty inconclusive. The ThreatTrack report [pdf] is more comprehensive some peer-to-peer traffic and accessing of the WAB. Simseer's prognosis is that this is a Zbot variant.

For the record, these are the checksums involved:
MD50bbf809dc46ed5d6c9f1774b13521e72
SHA19a50fa08e71711d26d86f34d8179f87757a88fa8
SHA25600b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400

Friday, 24 May 2013

Chase "Incoming Wire Transfer" spam / incoming_wire_05242013.zip

This fake Chase "Incoming Wire Transfer" email has a malicious attachment.

Date:      Fri, 24 May 2013 09:18:23 -0500 [10:18:23 EDT]
From:      Chase [Chase@emailinfo.chase.com]
Subject:      Incoming Wire Transfer


Note: This is a service message with information related to your Chase account(s). It may include specific details about transactions, products or online services. If you recently cancelled your account, please disregard this message.
CHASE    
          We're writing to let you know the "Incoming Wire Transfer Report" is available.
If you are not aware of this transaction or have concerns about the request, please contact your company administrator.

The detailed Information about this transaction is available in the attached file.

Account: BUSINESS CHECKING/SAVINGS ACCOUNT
Date of deposit: 05/24/2013
Transaction number: 1
Type: International Wire Transfer
Amount: $161,381.56

If you aren't enrolled in "Incoming Transfer Report's" and think you've received this message in error, please call our Customer Support team immediately, using the phone number on the "Contact Us" page on Chase Online.

Note: This e-mail may contain confidential information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
       

   
    E-mail Security Information    
   
   

If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here.

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing www.chase.com directly into your browser.

   

If you want to contact Chase, please do not reply to this message, but instead go to www.chase.com. For faster service, please enroll or log in to your account. Replies to this message will not be read or responded to.

Your personal information is protected by advanced technology. For more detailed security information, view our Online Privacy Policy. To request in writing: Chase Privacy Operations, PO Box 659752, San Antonio, TX 78265-9752.

JPMorgan Chase Bank, N.A. Member FDIC
2013 JPMorgan Chase & Co.
LCAA0213S

The attachment incoming_wire_05242013.zip contains an executable incoming_wire_05242013.exe with a detection rate of 9/47 at VirusTotal. The ThreatTrack report [pdf] and ThreatExpert report show various characteristics of this malware, in particular a callback to the following IPs and domains:

116.122.158.195
188.93.230.115
199.168.184.197
talentos.clicken1.com

Checksums are as follows:
MD5f9182e5f13271cefc2695baa11926fab
SHA1b3cff6332f2773cecb2f5037937bb89c6125ec15
SHA2560a23cdcba850056f8425db0f8ad73dca7c39143cdafc61c901c8c3428f312f2d