Sponsored by..

Wednesday, 17 July 2013

"Houston Marriott Westchase Reservation Confirmation" spam / marriott.com.reservation.lookup.viperlair.net

This fake Marriott spam leads to malware on marriott.com.reservation.lookup.viperlair.net:


Date:      Wed, 17 Jul 2013 05:12:22 -0800 [09:12:22 EDT]
From:      Marriott Hotels & Resorts Reservation [reservations@clients.marriottmail.org]
Reply-To:      reservations@clients.marriottmail.org
Subject:      Houston Marriott Westchase Reservation Confirmation #86903601

Marriott Hotels & Resorts Houston Marriott Westchase 2900 Briarpark Dr.,
Houston, Texas 77042 USA Phone: 1-713-978-7400 Fax: 1-713-735-2726
   
Reservation for [redacted]

    Confirmation Number: 86903601
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)

    Modify or Cancel reservation    

View View hotel website
Maps Maps & Transportation

Reservation Confirmation
Dear Client,

We are pleased to confirm your reservation with Marriott. Below is a summary of your booking and room information. We look forward to making your stay gratifying and memorable. When you're traveling away from home you can always count on Marriott.

Houston Marriott Westchase

Planning Your Trip

    See what's happening in Houston during your stay
    Check out some of Houston's top attractions

    Book with Hertz: Save up to 35% and Earn 500 Rewards Points
    Book Cars, Tours & More - get great rates on local tours and attractions


Reservation Details

    Confirmation Number: 86903601
    Your hotel: Houston Marriott Westchase
    Check-in: Sunday, July 21, 2013 (03:00 PM)
    Check-out: Wednesday, July 24, 2013 (12:00 PM)
    Room type: Guest room, 1 King or 2 Queen
    Number of rooms: 1
    Guests per room: 1
    Guest name: Jesus Bell
    Reservation confirmed: Wednesday, July 16, 2013 (21:55:00 GMT)
    Guarantee method: Credit card guarantee, VISA

Special request(s):

    •2 Queen Beds, Guaranteed
    •High Floor Room, Request Noted
    •I.D. Required, Request Noted


Summary of Room Charges     Cost per night per room (USD)
Sunday, July 21, 2013 - Wednesday, July 24, 2013 ( 3 nights=20 )     109.43
Govt/military rate, federal government ID required    
Estimated government taxes and fees     18.53
Total for stay (for all rooms)     469.89

    Complimentary on-site parking
    Valet parking, fee: 14 USD daily
    Changes in taxes or fees implemented after booking will affect the total room price.

You may modify or cancel your reservation online (see details below), or call our worldwide telephone numbers.

Contact us if you have questions about your reservation.
Canceling Your Reservation

    You may cancel your reservation for no charge until Friday, July 19, 2013 (1 day[s] before arrival).

    Please note that we will assess a fee of 127.53 USD if you must cancel after this deadline.

    If you have made a prepayment, we will retain all or part of your prepayment. If not, we will charge your credit card.

Modifying Your Reservation

    Please note that a change in the length or dates of your reservation may result in a rate change.
    Please be prepared to show proof of eligibility for your rate (such as a membership card, corporate or government identification card, or proof of your age).

Rewards Account Information
http://www.marriott.com/Images/email/rewards/logos/Silver_28x142.gif
Your Rewards level: Silver
Your Rewards number: 642268841

As a Silver Elite member, you can enjoy the following benefits during your stay (may vary by hotel):
20% Bonus on your Marriott Rewards base points
Priority Late Checkout
Guaranteed Room Type

Sign in to view account

    Sign up for eFolio to receive your hotel bill by email after each stay in the USA and Canada.
    Plan events, earn rewards with Rewarding Events.

50,000 Bonus Points    
50,000 Bonus Points

Earn 50,000 Bonus Points and an Annual Free Night with No Annual Fee the First Year. More Rewards, Faster with the Marriott Rewards Premier Credit Card.

Learn More and Apply

Travel Alerts

    Download the Marriott Mobile App. The Perfect Travel CompanionTM
    Please Note: All Marriott hotels in the USA and Canada, are committed to a smoke-free policy.
    Learn more
    The Responsible Tourist and Traveler
    A practical guide to help you make your trip an enriching experience

Look No Further
You've received the best possible rate - guaranteed.

Privacy, Authenticity and Opting Out

Your privacy is important to us. Please visit our Privacy Statement for full details.

This email confirmation is an auto-generated message. Replies to automated messages are not monitored. Our Internet Customer Care team is available to assist you 24 hours per day, 7 days per week. Contact Internet Customer Care.

Promotional email unsubscribe

If you provided us with your email address for the first time, we will send you a follow-up email to welcome you. We will also send you periodic emails with information about your account balance, member status, special offers and promotions. An opt-out link will be included in each of these emails so that you can change your mind at any time.
If you would prefer to opt out of such emails from Marriott International, Marriott Rewards or The Ritz-Carlton Rewards, you may do so here. In addition, you may unsubscribe from The Ritz-Carlton email community here

Please note: Should you unsubscribe from promotional email, we will continue to send messages for transactions such as reservation confirmation, point redemption, etc.

Confirmation Authenticity

We're sending you this confirmation notice electronically for your convenience. Marriott keeps an official record of all electronic reservations. We honor our official record only and will disregard any alterations to this confirmation that may have been made after we sent it to you.

If you have received this email in error, please let us know.
Terms of Use::Internet Privacy Statement

©1996-2013 Marriott International, Inc. All rights reserved. Marriott proprietary information.


The link in the email goes through a legitimate hacked site and lands on [donotclick]marriott.com.reservation.lookup.viperlair.net/news/marriott-ebill-order-confirmation.php (report here) hosted on  the following IPs:

viperlair.net is registered with fake WHOIS details that mark it out as belonging to the Amerika gang:

      miguel villegas
      15003 Elkhorn Dr
      FONTANA, CA 92336-5517
      US
      Phone: +1.9098998422
      Email: shanghaiherald32@yahoo.com


50.97.253.162 (Softlayer, US)
59.126.142.186 (Chunghwa Telecom, Taiwan)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
50.97.253.162
59.126.142.186
209.222.67.251
autorize.net.models-and-kits.net
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
ehnihenransivuennd.net
erawppa.com
ermitirationifyouwau30.net
estateandpropertty.com
firerice.com
fulty.net
gebelikokulu.net
generationpasswaua40.net
gondamtvibnejnepl.net
greenleaf-investment.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
linkedin.com-update-report.taltondark.net
marriott.com.reservation.lookup.viperlair.net
microsoftnotification.net
mycanoweb.com
pass-hc.com
quipbox.com
sendkick.com
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
treehouse-dreams.net
tvblips.net
twitter.com.greenleaf-investment.net
viperlair.net
vitans.net

Tuesday, 16 July 2013

Bank of America spam / stid 36618-22.zip

This fake Bank of America spam comes with a malicious attachment:

Date:      Tue, 16 Jul 2013 21:21:06 +0200 [15:21:06 EDT]
From:      Joyce Bryson [legalsr@gmail.com]
Subject:      Merchant Statement

Enclosed (pdflPDF|pdf file|document|file) is your Bank of America Paymentech electronic Merchant Billing Statement.
If you need assistance, please (contact|message|call) your Account Executive or call Merchant Services at the telephone number listed on your statement.
PLEASE DO NOT RESPOND BY USING REPLY. This (email|mail) is sent from an unmonitored email address, and your response will not be received by Bank of America Paymentech.
Bank of America Paymentech will not be responsible for any liabilities that may result from or relate to any failure or delay caused by Bank of America Paymentech's or the Merchant's email service or otherwise. Bank of America Paymentech recommends that Merchants continue to monitor their statement information regularly.
----------
Learn more about Bank of America Paymentech Solutions, LLC payment processing services at Bank of America.
----------
THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information intended only for the use of the recipient(s) named above. If you are not the intended recipient, you may not print, distribute, or copy this message or any attachments. If you have received this communication in error, please notify the sender by return e-mail and delete this message and any attachments from your computer. 

Attached is a file called stid 36618-22.zip which in turn contains stid 36618-22.exe which is a variant of Zbot. VirusTotal detections are just 11/47.

Anubis reports what appear to be several peer-to-peer connection attempts plus an attempted download from [donotclick]apsuart.com/741_out.exe that appears to fail. For what they are worth, hereis the Comodo CAMAS report, Malwr report and ThreatExpert report.

"Invoice 48920" spam / doc201307161139482.doc

This spam has a malicious word attachment, doc201307161139482.doc which contains an exploit.

From: Carlos Phillips [accounting@travidia.com]
Subject: Invoice 48920

Thanks !!

Greg

Precision Assemblies Products, Inc.Llc.
179 Nesbitt Hills
Holley, NY 51902
(176)-674-6500
nightmarewdp50@travidia.com
Note that the date is included into the filename. The document has an MS12-027 exploit with a VirusTotal detection rate of just 5/47.  In theory, if your copy of Microsoft Word is up-to-date you should be immune to this. VT gives the following checksums:

MD5   935e5cacde136d006ea1bb1201a3e6ef
SHA1   bc876d53ad002f1d6fd994d6717372f374d5e6dc
SHA256   8ae7ae35c37a618031c3ec0702871dc19c817bff4e5cf54f1169182fdc8d878c


The Malwr analysis shows some of the things going on, including network connections to:
mycanoweb.com
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
50.97.253.162 (Softlayer, US)
59.126.142.186 (Chungwa Telecom, Taiwan)
188.40.92.12 (Hetzner, US)
209.222.67.251 (Razor Inc, US)

classified.byethost11.com
209.190.24.9 (Enet / XLHost, US)

myhomes.netau.net
31.170.160.129 (Main Hosting, US)

UPDATE: The ThreatTrack report [pdf] shows similar characterstics, including an attempted download from [donotclick]mycanoweb.com/report/doc.exe which is a Zbot variant with a low detection rate. (Also see the Anubis, ThreatExpert and Malwr reports for that).

Most of the IPs for mycanoweb.com overlap with these belonging to the Amerika gang. The other two IPs are shared hosting and might block a relatively small number of legitimate sites.. I would lean towards blocking them now and unblock them later it there's a problem.

Recommended blocklist:
mycanoweb.com
classified.byethost11.com
myhomes.netau.net
46.45.182.27
50.97.253.162
59.126.142.186
188.40.92.12
209.222.67.251
209.190.24.9
31.170.160.129

Additional IPs for Zbot component:
182.237.17.180
194.44.219.226
210.56.23.100

Malware sites to block 16/7/13

These domains and IPs are associated with this gang. This time there appear to be some diet pill sites in the mix, these may be spammy or they may be malicious.. I would recommend blocking them all though.

24.173.170.230 (Time Warner Cable, US)
31.145.19.17 (Borusan Telekom / Ericsson, Turkey)
38.96.42.60 (PSInet / WiLogic Inc, US)
41.196.17.252 (Link Egypt, Egypt)
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S, Turkey)
46.246.41.68 (Portlane Networks, Sweden)
46.38.51.162 (TCTEL, Russia)
50.97.253.162 (Softlayer, US)
58.196.7.174 (CERNET, China)
59.124.33.215 (Chungwa Telecom, Taiwan)
59.126.142.186 (Chungwa Telecom, Taiwan)
59.160.69.74 (TATA, India)
61.220.221.92 (HINET / Chungwa Telecom, Taiwan)
64.49.246.226 (Rackspace, US)
69.162.76.10 (Limestone Networks, US)
74.93.56.83 (Comcast Business Communications, US)
77.240.118.69 (Acens Technlogies, Spain)
80.52.135.172 (TPNET, Poland)
81.17.140.138 (Velton.telecom, Ukraine)
82.165.41.13 (1&1, Philippines)
85.17.224.131 (Leaseweb, Netherlands)
85.119.187.145 (UNIWEB, Belgium)
87.236.211.159 (Azar Online, Iran)
88.86.100.2 (Supernetwork, Czech Republic)
89.161.255.30 (Home.pl, Poland)
89.248.161.146 (Ecatel, Netherlands)
95.111.32.249 (Mobitel / Megalan, Bulgaria)
98.192.168.80 (Comcast Communications, US)
103.9.23.34 (TPL Trakker, Pakistan)
108.179.8.103 (Tyco / Cablevision, US)
111.121.193.198 (China Telecom, China)
111.121.193.199 (China Telecom, China)
111.121.193.200 (China Telecom, China)
114.32.97.58 (HINET / Chungwa Telecom, Taiwan)
119.1.109.40 (QianXiNan County, China)
119.1.109.48 (QianXiNan County, China)
119.92.209.120 (Philippine Long Distance Telephone Company, Philippines)
128.252.158.57 (Washington University, US)
138.80.14.27 (Charles Darwin University, Australia)
140.115.43.187 (TANET, Taiwan)
143.239.87.38 (University College Cork, Ireland)
150.244.233.146 (Universidad Autonoma De Madrid , Spain)
151.155.25.109 (Novell, US)
151.155.25.111 (Novell, US)
172.255.106.17 (Nobis Technology Group, US)
173.167.54.139 (Iceweb Storage Corp / Comcast, US)
176.31.46.7 (OVH, France)
180.166.172.122 (China Telecom, China)
184.105.135.29 (Hurricane Electric, US)
188.132.213.115 (Hosting Internet Hizmetleri Sanayi Ve Ticaret Anonim Sirketi, Turkey)
190.85.249.159 (Telmex Colombia, Colombia)
192.241.205.26 (Digital Ocean, US)
193.95.91.78 (Agence Tunisienne Internet, Tunisia)
195.225.58.122 (C&A Connect SRL, Romania)
198.56.238.36 (Enzu Inc, US)
201.163.145.125 (Alestra, S. de R.L. de C.V., Mexico)
202.28.69.195 (UniNet, Thailand)
202.63.210.182 (CubeXS Private Lmited, Pakistan)
203.122.26.124 (Citycom Networks Pvt Ltd, India)
203.235.181.181 (Sejong Telecom, Korea)
203.236.232.42 (KINX, Korea)
207.254.1.17 (Virtacore Systems Inc, US)
208.115.114.68 (Wowrack, US)
209.222.67.251 (Razor Inc, US)
210.200.0.95 (Asia Pacific On-line Services Inc., Taiwan)
212.143.233.159 (013 Netvision Network, Israel)
222.20.90.25 (CERNET, China)

Blocklist:
24.173.170.230
31.145.19.17
38.96.42.60
41.196.17.252
46.45.182.27
46.246.41.68
46.38.51.162
50.97.253.162
58.196.7.174
59.124.33.215
59.126.142.186
59.160.69.74
61.220.221.92
64.49.246.226
69.162.76.10
74.93.56.83
77.240.118.69
80.52.135.172
81.17.140.138
82.165.41.13
85.17.224.131
85.119.187.145
87.236.211.159
88.86.100.2
89.161.255.30
89.248.161.146
95.111.32.249
98.192.168.80
103.9.23.34
108.179.8.103
111.121.193.198
111.121.193.199
111.121.193.200
114.32.97.58
119.1.109.40
119.1.109.48
119.92.209.120
128.252.158.57
138.80.14.27
140.115.43.187
143.239.87.38
148.81.111.91
148.81.111.92
150.244.233.146
151.155.25.109
151.155.25.111
172.255.106.17
173.167.54.139
176.31.46.7
180.166.172.122
184.105.135.29
188.132.213.115
190.85.249.159
192.241.205.26
193.95.91.78
195.225.58.122
198.56.238.36
201.163.145.125
202.28.69.195
202.63.210.182
203.122.26.124
203.235.181.181
203.236.232.42
207.254.1.17
208.115.114.68
209.222.67.251
210.200.0.95
212.143.233.159
222.20.90.25
abundanceguys.net
allgstat.ru
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
americimblog.com
amimeseason.net
androv.pl
aniolyfarmacij.com
antidoctorpj.com
aqua-thermos.com
astarts.ru
auditbodies.net
augel.pl
autocompletiondel.net
autorize.net.models-and-kits.net
autotradeguide.net
avenues.pl
basedbreakpark.su
beachfiretald.com
beatenunwield.com
bebomsn.net
beirutyinfo.com
bestofallforallas.pl
blacklistsvignet.pl
blindsay-law.net
bnamecorni.com
boats-sale.net
brandeddepend.com
brasilmatics.net
businessdocu.net
buty24-cool.com
buycushion.net
cabby.pl
centow.ru
chairsantique.net
charismasalonme.net
childrensuck.net
cirormdnivneinted40.ru
clik-kids.com
com.amazon.com.first4supplies.net
condalinarad72234652.ru
condalinaradushko5.ru
condalininneuwu36.net
condalinneuwu5.ru
condalinrwgw136.ru
condalnua745746.ru
cotime.pl
cpa.state.tx.us.tax-returns.mattwaltererie.net
cryoroyal.net
dasay.pl
datapadsinthi.net
doorandstoned.com
driversupdate.pw
dulethcentury.net
e-citystores.net
editionscode.com
e-eleves.net
effectivenesspre.com
eftps.gov.charismasalonme.net
ehchernomorskihu.ru
ehnaisnwhgiuh29.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
eliroots.ru
enchantingfluid.com
ensutringscal.net
enuhhdijsnenbude40.ru
ergopets.com
estateandpropertty.com
exterms.pl
faststream.pl
feminineperceiv.pl
filmstripstyl.com
fincal.pl
first4supplies.net
foremostorgand.su
freakable.net
fulty.net
gamnnbienwndd70.net
gcoordinatind.com
gebelikokulu.net
genie-enterprises.com
gentonoesleep.com
gerlos-hotel.net
getstatsp.ru
ghroumingoviede.ru
gnanosnugivnehu.ru
gondamtvibnejnepl.net
goodread.pl
gotip.pl
grivnichesvkisejj50.ru
guardianforyou.pl
gumfart.ru
hdmltextvoice.net
heidipinks.com
hemorelief.net
highsecure155.com
hingpressplay.net
hospitalinstitutee.com
hotautoflot.com
hotkoyou.net
hotpubblici.com
how-about-we.net
huang.pl
independinsy.net
info-for-health.net
initiationtune.su
insectiore.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
kirki.pl
krasalco.com
ledfordlawoffice.net
letsgofit.net
libulionstreet.su
linefisher.com
linkedin.com-update-report.taltondark.net
m.krasalco.com
made-bali.net
magiklovsterd.net
mantuma.pl
mattwaltererie.net
maxapps.pl
microsoftnotification.net
missdigitalworld.net
models-and-kits.net
modshows.net
morphed.ru
mosher.pl
nailapp.pl
namastelearning.net
ns3.thebodyfatsolutioncb.pl
nvufvwieg.com
offeringshowt.com
ompute.pl
oneday-movie.net
organizerrescui.pl
oupwareplanets.su
oydahrenlitu346357.ru
pinterest.com.reports0701.net
polymerplanet.net
porschetr-ml.com
potteryconvention.ru
privat-tor-service.com
przcloud.net
questphoneservice.net
quipbox.com
ratenames.net
recatalogfinger.net
relationshipa.com
relectsdispla.net
rentipod.ru
reports0701.net
rustin.pl
safebrowse.pw
scourswarriors.su
secrettapess.com
secureaction120.com
securednshooki.com
sendkick.com
sensetegej100.com
sitemax.pl
sklephoreca.pl
soberimages.com
spros.pl
stilos.pl
streetgreenlj.com
susubaby.net
tagcentriccent.net
tagcentriccent.pl
taltondark.net
tax-returns.gov.cpa.state.us.gebelikokulu.net
teakfromafrica.net
telecomerra.com
thebodyfatsolutioncb.pl
thebodyfatsolutionoi.pl
thegalaxyatwork.com
theguardian-newspaper.pl
therichboysmail.net
thetimesforyou.pl
thosetemperat.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
trymaximumslimbaba.pl
trymaximumslimbia.pl
trymaximumslimboa.pl
trymaximumslimbua.pl
trymaximumslimbuta.pl
trymaximumslimdel.pl
trymaximumslimeta.pl
trymaximumslimfea.pl
trymaximumslimfoa.pl
trymaximumslimfol.pl
trymaximumslimhoa.pl
trymaximumslimhol.pl
trymaximumslimhowa.pl
trymaximumsliminl.pl
trymaximumslimlacl.pl
trymaximumslimlal.pl
trymaximumslimlea.pl
trymaximumslimleta.pl
trymaximumslimlitta.pl
trymaximumslimmaa.pl
trymaximumslimmal.pl
trymaximumslimmea.pl
trymaximumslimmia.pl
trymaximumslimnel.pl
trymaximumslimnota.pl
trymaximumslimota.pl
trymaximumslimpaa.pl
trymaximumslimpal.pl
trymaximumslimpara.pl
trymaximumslimrata.pl
trymaximumslimroba.pl
trymaximumslimroll.pl
trymaximumslimroma.pl
trymaximumslimsaa.pl
trymaximumslimsal.pl
trymaximumslimsanda.pl
trymaximumslimsil.pl
trymaximumslimsina.pl
trymaximumslimsofa.pl
trymaximumslimsofl.pl
trymaximumslimsparl.pl
trymaximumslimteda.pl
trymaximumslimulda.pl
trymaximumslimundl.pl
tstatbox.ru
tvblips.net
u-janusa.net
ukbash.ru
unabox.pl
usenet4ever.net
usergateproxy.net
vahvahchicas.ru
vip-proxy-to-tor.com
vivendacalangute.net
wickedpl.com
wic-office.com
wordstudio.pl
wow-included.com
yourbodyfatsolutionaningm.pl
yourbodyfatsolutionharm.pl
yourbodyfatsolutionhom.pl
yourbodyfatsolutionlgf.pl
yourbodyfatsolutionlittm.pl
yourbodyfatsolutionlpa.pl
yourbodyfatsolutionlub.pl
yourbodyfatsolutionlui.pl
yourbodyfatsolutionmem.pl
yourbodyfatsolutionnak.pl
yourbodyfatsolutionncb.pl
yourbodyfatsolutionnff.pl
yourbodyfatsolutionnzk.pl
yourbodyfatsolutionronm.pl
yourbodyfatsolutionsam.pl
yourbodyfatsolutionsim.pl
yourbodyfatsolutionterm.pl
yourbodyfatsolutiontinm.pl
yourbodyfatsolutionuca.pl
yourbodyfatsolutionucb.pl
yourbodyfatsolutionuee.pl
yourbodyfatsolutionufd.pl
yourbodyfatsolutionuff.pl
yourbodyfatsolutionufg.pl
yourbodyfatsolutionugd.pl
yourbodyfatsolutionugf.pl
yourbodyfatsolutionuhh.pl
yourbodyfatsolutionukk.pl
yourbodyfatsolutionunb.pl
yourbodyfatsolutionunc.pl
yourbodyfatsolutionuoi.pl
yourbodyfatsolutionupa.pl
yourbodyfatsolutionusd.pl
yourbodyfatsolutionuub.pl
yourbodyfatsolutionuui.pl
yourbodyfatsolutionuvb.pl
yourbodyfatsolutionuvc.pl
yourbodyfatsolutionuzk.pl
yourbodyfatsolutionwam.pl
zestrecommend.com

Half your video missing in Windows Movie Maker? MS13-057 to blame.

I couldn't quite figure out why Windows Movie Maker was suddenly chopping off the top half of a video I was making..


I didn't investigate the problem very closely because I finished the project using Sony Vegas instead. However, it turns out that I am not alone.. an InfoWorld post also indicates that there are problems with Adobe Premiere Pro, Techsmith Camtasia Studio, Serif MoviePlus X6 plus some games due to the MS13-057 update pushed out a week ago.

If you are experiencing critical problems with missing video, then the only thing to do seems to be to uninstall the Windows Media Player patch listed as KB2803821 or KB2834904. If this isn't causing a problem then you may as well keep the patch in place to protect your system. I would expect another patch to be re-issued soon.

msi.com hacked with kristians1.net

The website of msi.com (a major computer manufacturer) has been hacked and is serving up malware, despite MSI being informed of the problem. Injected code pointing to the domain kristians1.net (83.143.81.2, ServeTheWorld AS Norway) has been injected into the site and is serving up an exploit kit (report here).

This is not the only time msi.com has been hacked. Most significantly, they recently had 50,000 accounts leaked and their site defaced. Zone H also reports several recent defacements and Google reports that part of the site has been listed as containing malware 4 times over the past 90 days.

What is the current listing status for msi.com?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2470 pages we tested on the site over the past 90 days, 16 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-15, and the last time suspicious content was found on this site was on 2013-06-16.Malicious software includes 23 exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 5 domain(s), including abdelmonem.net/, oportunidadesdesdesucasa.com/, jobsreal.biz/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including for-test-only.ru/.
This site was hosted on 10 network(s) including AS12859 (NL), AS26228 (SERVEPATH), AS8220 (COLT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, msi.com appeared to function as an intermediary for the infection of 1 site(s) including 2k11.co.za/.

You really do have to question the competency of a company when it has this many hacks and breaches, especially when they make computers. How deeply do these breaches go?

Monday, 15 July 2013

UPS spam / tvblips.net

This fake UPS spam leads to malware on tvblips.net:


Date:      Mon, 15 Jul 2013 10:20:13 -0500
From:     
Subject:      Your UPS Invoice is Ready

   
This is an automatically generated email. Please do not reply to this email address.

Dear UPS Customer,

Thank you for your business.

New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center.

Please visit the UPS Billing Center to view and pay your invoice.



Questions about your charges? To get a better understanding of surcharges on your invoice, click here.


Discover more about UPS:
Visit ups.com
Explore UPS Freight Services
Learn About UPS Companies
Sign Up For Additional Email From UPS
Read Compass Online

� 2013 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential. If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Policy
Contact UPS

The link in the email goes to a legitimate hacked site that has some highly obfuscated javascript that leads to a malware landing page on [donotclick]tvblips.net/news/ups-information.php (report here) hosted on:


46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
209.222.67.251
allgstat.ru
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
ehnihenransivuennd.net
eliroots.ru
ensutringscal.net
estateandpropertty.com
filmstripstyl.com
fulty.net
gcoordinatind.com
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
irs.gov.tax-refunds.ach.treehouse-dreams.net
jonkrut.ru
linkedin.com-update-report.taltondark.net
magiklovsterd.net
mattwaltererie.net
microsoftnotification.net
nvufvwieg.com
offeringshowt.com
oupwareplanets.su
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
tax-returns.gov.cpa.state.us.gebelikokulu.net
toetotoetimef.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
tvblips.net
vip-proxy-to-tor.com
zestrecommend.com


NOST (NOST.QB) / NSU Resources Inc Pump and Dump Spam

Over the weekend a pump-and-dump spam run started for NSU Resources Inc trading as NOST.QB. NSU Resources almost definitely have nothing to do with this spam run. Here are a few examples:

Subject: This Stock MOVED HARD


Rubber Stamp N OS_T!!! With A Profoundly Humble Market Float,
The Indicated Rare Earth Business Is In Line To Quintuple.
Suspect For Big Publication In A Minute.

Trading Date: Mon, July 15th, 2013
Target Price: .36
Symbol traded: N OS_T
Company: NSU Resources
Last trade: 0.0175

Stay tuned this could get real good!!! An Amazing Buying
Opportunity!

----------

Subject: This Stock Is The Hottest Stock In The Whole Market!

Check Out NO S_T! Amid An Seriously Humble Public Float, The Indicated Rare
Earth Company Is Equipped To Burst! Suspect For Big Dissemination In A
Minute.

Symbol to buy: NO S_T
Trading Date: Monday, July 15
Long Term Target: $0.37
Company: NSU Resources Inc
Closed Price: .0175

Huge Potential! Actual Gains Success and Pick for Tomorrow!!!

----------

Subject: They`ve got their rally caps on!

Rubber Stamp N_O_ST. Including An Very Modest Public Float, The
Aforementioned Rare Earth Corporation Is Ready To Pop. Presume For Greater
Divulgence In Due Time.

Trade Date: Monday, July 15
Latest Pricing: 0.0175
Stock Symbol: N_O_ST
Long Term Target Price: $.15
Company: NSU Resources, Corp.

Time to buy! Major play, coming tomorrow morning!

----------

Subject: Look for Another Push Higher

Take On NO_ST!!! Including An Ultra Inconsequential Market Float, The
Indicated Rare Earth Stock Is On Tap To Explode!!! Envisage For Larger
Publication In Due Time!

Name: NSU Resources Inc.
Trade: NO_ST
Closed Price: $0.0175
Long Term Target: $.10
Trading Date: Monday, July 15th, 2013

Urgent! You Must Read! My Huge Pick.

Indeed, the stock really did move a lot on Friday, going up from $0.0031 per share to $0.02 by the end of the day. But what actually happened?

The reason for the increase in the share price is simple to see. Between 1pm and 2pm on Friday nearly 5.5 million shares of stock were bought in a 30 minute period at $0.0031 (for a total of about $17,000), probably all by the same party. The usual trade level for this stock is usually zero or close to zero. After 2pm subsequent buying (probably by speculators) added about another 750,000 shares but pushed the share price up to about $0.02 at close, a 545% increase which would (on paper) have netted the spammers a profit of $90,000. Not bad for a day's work.


In August 2010, NOST shares peaked at $5.40 per share. It's been a bit of a rollercoaster since then. Mostly downwards, leaving NOST as a thinly traded penny stock which is exactly the sort of thing that pump and dump spammers like.

The last major pump and dump we saw (HAIR) ran for over a month, and we can expect to see NOST spam for a while yet as the spammer - and perhaps whoever employed them - try to offload worthless shares onto unsuspecting investors. Avoid.

Friday, 12 July 2013

ygregistry.com.cn domain scam

This domain scam has been doing the rounds for years.

From:     Jim Wang [jim.wang@ygregistry.com.cn]
Date:     12 July 2013 15:44
Subject:     Regarding Asia/Cn/Hk domain name & Internet Keyword

Dear Manager,

(If you are not the person who is in charge of this, please forward this to your CEO,Thanks)

This email is from China domain name registration center, which mainly deal with the domain name registration in China and Asia. We received an application from Huahong Ltd on July 8, 2013. They want to register " [redacted] " as their internet keyword and China/Asia/Hongkong (CN/ASIA/HK) domain names. But after checking it, we find this name conflicts with your company. In order to deal with this matter better, so we send you email and confirm whether this company is your distributor or business partner in China or not?

Best Regards,

Jim
General Manager
Shanghai Office (Head Office)
3002, Nanhai Building, No. 854 Nandan Road,
Xuhui District, Shanghai 200070, China
Tel: +86 216191 8696
Mobile: +86 1870199 4951
Fax: +86 216191 8697
Web: www.ygregistry.com.cn
Registrars are not responsible for checking if domains infringe on someone's trademark or trading name. If they were then it would make the system unworkable. What we have here are a bunch of Chinese scammers who are trying to panic you into registering an overpriced domain name that you don't need. Ignore it, or if you really are worried about brand protection then look for a trustworthy registrar that you've actually heard of.



"TAX Return Reminder" / cpa.state.tx.us.tax-returns.mattwaltererie.net

This fake tax return reminder leads to malware on cpa.state.tx.us.tax-returns.mattwaltererie.net:

--- Version 1 --------------------

Date:      Fri, 12 Jul 2013 14:35:31 +0300
From:      DO.NOT.REPLY@REMINDER.STATE.TX.US.GOV
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $964.17. Please submit the tax refund request and allow us 2-5 business days to process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=035549412645

For security reasons we will record your IP address, date and time.
Deliberate scam inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.


--- Version 2 --------------------


Date:      Fri, 12 Jul 2013 17:05:39 +0530 [07:35:39 EDT]
From:      tax.help@STATE.TX.GOV.US
Subject:      TAX Return Reminder

After the last quarter calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $909.70. Please submit the tax refund request and allow us 2-3 business days to process it.

A refund may be delayed for a variety of reasons.
For example submitting invalid records or applying after deadline

Returns can be electronically filed at www.cpa.state.tx.us/returns_caseid=488702484517

For security reasons we will record your IP address, date and time.
Deliberate wrong inputs are criminally pursued and indicated.
Please do not reply to this e-mail.

Please disregard this reminder if the return has already been submitted.
Unusually, the link in the email goes directly to the malware landing page rather than going through a legitimate hacked site, in this case directly to [donotclick]cpa.state.tx.us.tax-returns.mattwaltererie.net/news/tax_refund-caseid7436463593.php?[snip] (example 1, example 2) but I cannot get the malware to reveal itself (there's either a fault or it is resistant to analysis).

cpa.state.tx.us.tax-returns.mattwaltererie.net is hosted on the following IP addresses that are under control of what I call the Amerika gang:
46.45.182.27 (Radore Veri Merkezi Hizmetleri A.S., Turkey)
150.244.233.146 (Universidad Autonoma de Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

The domain mattwaltererie.net also features the fake US WHOIS details that are characteristic of the Amerika gang (which is where they get their name from).

      Marilyn Clark
      13578 Calderon Rd
      SAN DIEGO, CA 92129
      US
      Phone: +1.7143435399
      Email: tekassis@usa.com


Below is a partial blocklist that I would recommened you use in conjunction with this one:
46.45.182.27
150.244.233.146
203.236.232.42
209.222.67.251
americanexpress.com.krasalco.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
clik-kids.com
condalnua745746.ru
cpa.state.tx.us.tax-returns.mattwaltererie.net
datapadsinthi.net
delines.ru
ehnihenransivuennd.net
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gebelikokulu.net
gentonoesleep.com
getstatsp.ru
gondamtvibnejnepl.net
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
linkedin.com-update-report.taltondark.net
m.krasalco.com
magiklovsterd.net
mattwaltererie.net
nvufvwieg.com
offeringshowt.com
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
sendkick.com
streetgreenlj.com
taltondark.net
tor-connect-secure.com
treehouse-dreams.net
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com




Thursday, 11 July 2013

Malware sites to block 11/7/13

I noticed 188.138.89.106 (Intergenia AG, Germany) was the originating IP being used in this spam run using a hijacked 1&1 account, and VirusTotal thinks that the server is pretty darned evil. A quick poke at this box shows that has a number of multihomed malicious and C&C domains.

Looking at some of these servers, I'm suspicious that they may have been compromised using a Plesk vulnerability. Various domains are used for botnets, including some Bitcoin miners. There may be some formerly legitimate domains in this mix, but given the compromised nature of the servers I would not trust them.

37.123.112.147 (UK2.NET, UK)
37.123.113.7 (UK2.NET, UK)
68.169.38.143 (Westhost Inc, US)
68.169.42.177 (Westhost Inc, US)
74.208.133.134 (1&1, US)
85.25.86.198 (Intergenia AG, Germany)
109.123.95.8 (UK2.NET, UK)
188.138.89.106 (Intergenia AG, Germany)
212.53.167.13 (FASTCOM IP Net, Poland)
212.227.53.20 (1&1, Germany)
212.227.252.92 (1&1, Germany)
213.165.71.238 (1&1, Germany)
217.160.173.154 (1&1, Germany)

Recommended blocklist:
37.123.112.147
37.123.113.7
68.169.38.143
68.169.42.177
74.208.133.134
85.25.86.198
109.123.95.8
188.138.89.106
212.53.167.13
212.227.53.20
212.227.252.92
213.165.71.238
217.160.173.154
bayrische-kampfplantage.de
f.eastmoon.pl
final.toles.org
final.twiaci.com
fujimoto-group.jp
gigasbh.org
gigasphere.su
jobs.4zox.com
ks-reifenservice.de
mh-wellnesscoach.de
mikimouse.net
move-aube.fr
naturalcuresdoc.com
naturalcuresdocanswers.com
newbigjob.de
p15114714.pureserver.info
s.richlab.pl
secure.redirectsite.net
soulvampire-ice.de
streetdanceroom.de
tests.gigasbh.org
toles.org
treibholzundmeer.de
try.aktivoxigen.com
wireless-work.su
xixbh.com
xixbh.net
xray868.server4you.de
xxxxxxxxxxxxxxx.kei.su

"WTX Media INC" spam / dajizzum.com

This fake invoice spam from the nonexistant "WTX Media" leads to a malware landing page on dajizzum.com:

From: Rebecca Media [mailto:support@rebeccacella.com]
Sent: 11 July 2013 07:46
To: [redacted]
Subject: Subscription Details

We hereby inform you that your subscription has been activated, your login information is as follows:

Username: IX9322130
Password: X#(@kIE04N
Login Key: 839384

Please do not share the login information with anyone as this account is only for your use, sharing the account will result in account termination without a refund.
The credit card on file submited by you will be billed within 24 hours, in the amount of 499.00 GBP, amount equal to one year unlimited subscription.
Your bank statement will show up as being billed by "WTX Media INC".

If you have any questions or issues with your login as well as requests to upgrade or cancel your membership please contact us using the form at:

[donotclick]www.rebeccacella.com/wp-content/plugins/subscribe/


Any feedback is appreciated as we strive to improve our services constantly.
WTX Media Team
The link in the email goes through a legitimate but hacked website (rebeccacella.com) and lands on a malware landing page at [donotclick]dajizzum.com/team/administration/admin4_colon/fedora.php?view=44 (report here) which contains an exploit kit.

dajizzum.com is hosted on 109.123.100.219 (UK2.NET, UK) which appears to be a hijacked server. At the moment I can only see that one site hosted on this box, but blacklisting the IP as a precaution may be wise.

The spam originates from another malware server on 188.138.89.106 (more of this later) but it appears to use a compromised 1&1 account as the spamvertised domain, sender's address and SMTP relay of 212.227.29.10 all belong to that provider.

Wednesday, 10 July 2013

Visa spam / estateandpropertty.com and clik-kids.com

This fake Visa spam attempts to lead to malware on estateandpropertty.com:

Date:      Wed, 10 Jul 2013 13:20:38 -0300 [12:20:38 EDT]
From:      Visa [policemank3@newsletters.visabusinessnewsmail.org]
Reply-To:      flintierv34@complains.visabusinessnewsmail.org
Subject:      Update Your Business Visa Card Information


Your Visa Business card has been limited. Please update your information to reactivate your account.

Please proceed the link: http://visabusiness.com/fraud/warning_mail=81413185766854518964...96368, update necessary information and view further information that caused us to set a limit.
Your Case ID is: NW61826321176497

Look for unexpected charges or questionable activity, and if you see anything suspicious,don't wait to act.

This added security is to prevent any additional fraudulent charges from taking place on your account.


Notice: This Visa communication is furnished to you solely in your capacity as a customer of Visa Inc. (or its authorized agent) or a participant in the Visa payments system. By accepting this Visa communication, you acknowledge that the information contained herein (the "Information") is confidential and subject to the confidentiality restrictions contained in Visa's operating regulations, which limit your use of the Information. You agree to keep the Information confidential and not to use the Information for any purpose other than in your capacity as a customer of Visa Inc. or a participant in the Visa payments system. The Information may only be disseminated within your organization on a need-to-know basis to enable your participation in the Visa payments system.

Please be advised that the Information may constitute material nonpublic information under U.S. federal securities laws and that purchasing or selling securities of Visa Inc. while being aware of material nonpublic information would constitute a violation of applicable U.S. federal securities laws. This information may change from time to time. Please contact your Visa representative to verify current information. Visa is not responsible for errors in this publication. The Visa Non-Disclosure Agreement can be obtained from your Visa Account Manager or the nearest Visa Office.

This message was sent to you by Visa, P.O. Box 8999, San Francisco, CA 94128. Please click here to unsubscribe. 
The link in the email goes through a legitimate hacked site and then attemped t to go to a malware page at [donotclick]estateandpropertty.com/news/visa-report.php (report here) but it appears the registrar has nuked the domain, so the spammers have switched the link to [donotclick]clik-kids.com/news/visa-report.php (report here) instead. IPs involved are:

46.45.182.27 (Radore Veri Merkezi Hizmetleri, Turkey)
77.240.118.69 (Acens Technlogies, Spain)
150.244.233.146 (Universidad Autonoma De Madrid, Spain)
203.236.232.42 (KINX, Korea)
209.222.67.251 (Razor Inc, US)

Recommended blocklist:
46.45.182.27
77.240.118.69
150.244.233.146
203.236.232.42
209.222.67.251
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
astarts.ru
autorize.net.models-and-kits.net
beachfiretald.com
beatenunwield.com
bnamecorni.com
brandeddepend.com
centow.ru
chinadollars.net
clik-kids.com
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
datapadsinthi.net
delines.ru
eftps.gov.charismasalonme.net
ehnihenransivuennd.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
eliroots.ru
estateandpropertty.com
filmstripstyl.com
fulty.net
gentonoesleep.com
getstatsp.ru
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
hdmltextvoice.net
hingpressplay.net
joinproportio.com
jonkrut.ru
m.krasalco.com
magiklovsterd.net
meynerlandislaw.net
nvufvwieg.com
offeringshowt.com
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
privat-tor-service.com
quipbox.com
relationshipa.com
relectsdispla.net
reports0701.net
reveck.com
salesplaytime.net
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
streetgreenlj.com
tor-connect-secure.com
tstatbox.ru
vip-proxy-to-tor.com
zestrecommend.com

Something evil on 199.231.93.182

199.231.93.182 (Webline Service, US suballocated to "Alex Capersov") is hosting a number of exploits [1] [2] being used in injection attacks. In the sample I saw, code had been injected into the legitimate site englishrussia.com possibly through a traffic exchanger.

The following domains are all hosted on or are associated with this IP. There's a shorter list at the bottom of the post without the subdomains that you might want to use as a blocklist.

afxcccck.namesjustnowsdossier.org
asddfs.bobsfuddscontrolls.info
asdfg.moneynoobslabs.biz
asfdasdf.netsristingboss.pw
assdfsa.monsterskillsd.biz
azvvbxe3.locksdayswongs.biz
bazdoacagiu.com
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
ddsfsfaall.nameswwioodoo.net
ds34faall.nameswwioodoo.net
dsccfksd.namesselwarsducks.com
dsfkcxcd.namesselwarsducks.com
dsfrrds.originalsolldsbeps.biz
dsfsdf.namesselwarsducks.biz
dsfsdf.netsristingboss.pw
dsskkk.nameswwisconsinoodoo.com
dsszzsekkk.nameswwisconsinoodoo.com
dvldp.locksdayswongs.biz
dvxxdckv.sitesjustnowsdossier.biz
fdgrthhsdffd.lardobur.biz
fgdksd.bobsfuddscontrolls.biz
fgdsdfksd.bobsfuddscontrolls.biz
fsaal.ddscontrolls.biz
fsasdfal.ddscontrolls.biz
ksdvss.buttonsyourece.biz
ksvfss.buttonsyourece.biz
moneynoobslabs.biz
moneynoobslabs.info
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
popalardo.net
popalardobur.net
sasdfsa.monsterskillsd.biz
sddffqrr.yourddscontrolls.biz
sddsfsd.domslingsfine.net
sdffaa.siteswollshertuners.com
sdfgsslsdf.bobsfuddscontrolls.com
sdflfdsdf.bobsfuddscontrolls.com
sdflsdf.bobsfuddscontrolls.com
sdfsd.domslingsfine.net
sfsbfa.ddscontrolls.info
sfsfa.ddscontrolls.info
simplibigidealog.ws
sitesjustnowsdossier.biz
ssdfsdfsa.monsterskillsd.biz
twoandhalfyear.ws
worrds.originalsolldsbeps.biz
yourddscontrolls.biz

Recommended blocklist:
bazdoacagiu.com
bobsfuddscontrolls.biz
bobsfuddscontrolls.com
bobsfuddscontrolls.info
bulkoziedname.ws
buttonsyourece.biz
buttonsyourece.info
ddscontrolls.biz
ddscontrolls.info
domslingsfine.net
lardobur.biz
locksdayswongs.biz
moneynoobslabs.biz
moneynoobslabs.info
monsterskillsd.biz
namesjustnowsdossier.info
namesjustnowsdossier.net
namesjustnowsdossier.org
namesselwarsducks.biz
namesselwarsducks.com
nameswwioodoo.net
nameswwisconsinoodoo.com
netsristingboss.pw
originalsolldsbeps.biz
popalardo.net
popalardobur.net
simplibigidealog.ws
sitesjustnowsdossier.biz
siteswollshertuners.com
twoandhalfyear.ws
yourddscontrolls.biz


Tuesday, 9 July 2013

"Payment File Successfully Processed" spam / autorize.net.models-and-kits.net

This spam leads to malware on autorize.net.models-and-kits.net:

Date:      Tue, 9 Jul 2013 15:36:42 -0500
From:      batchprovider@eftps.gov
Subject:      Payment File Successfully Processed

*** PLEASE DO NOT REPLY TO THIS MESSAGE***

Dear Batch Provider,

This message is being sent to inform you that your payment file has successfully processed. 2013-07-09-12.08.00.815358

Detailed information is available by logging into the Batch Provider software by clicking this link and performing a Sync request.
Thank You,
EFTPS

Contact Us: EFTPS Batch Provider Customer Service
at this link
A sender's email address of batchprovider@email.eftpsmail.gov is seen in another sample. The link goes through a legitimate hacked site and ends up an a malware laden page at [donotclick]autorize.net.models-and-kits.net/news/shortest-caused-race.php (report here) hosted on:

77.240.118.69 (Acens Technlogies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (UniNet, Thailand)

All these IPs and more can be found in this recommended blocklist. Out of these four IPs we can see the following malicious domains which should also be blocked if you can't block the IPs themselves..

77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
amazon.com.first4supplies.net
americanexpress.com.krasalco.com
aniolyfarmacij.com
autorize.net.models-and-kits.net
charismasalonme.net
chinadollars.net
com.amazon.com.first4supplies.net
condalinneuwu5.ru
condalnua745746.ru
eftps.gov.charismasalonme.net
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
fulty.net
gnanisienviwjunlp.ru
gondamtvibnejnepl.net
grivnichesvkisejj50.ru
m.krasalco.com
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
quipbox.com
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Update: a different spam is also circulating with the same payload:


Date:      Tue, 9 Jul 2013 06:56:26 -0800
From:      "Authorize . Net" [emailreceipts@news.authorizemail.net]
Subject:      Successful Credit Card Settlement Report.

Your Authorize.Net ID is: 1263577
Dear [redacted],

The following is your Credit Card settlement report for Sunday, July 09, 2013.

Transaction Volume Statistics for Settlement Batch dated 9-Jul-2013 11:0:55 PDT:
Batch ID: 668271114
Business Day: 09-Jul-2013
Net Batch Total: 9,917.74 (USD)
Number of Charge Transactions: 99
Amount of Charge Transactions: 9,917.74
Number of Refund Transactions: 7
Amount of Refund Transactions: 105.64

Warning! Your Batch limits for July exceeded!
To view details, please click here to log into the Merchant Interface.

If you have any questions regarding this settlement report, please contact your bank or you can contact Customer Support at this link.

Thank You,
Authorize.Net

*** You received this email because you chose to be a Credit Card Report recipient. You may change your email options by logging into the Merchant Interface. Click on Settings and Profile in the Main Menu, and select Manage Contacts from the General section. To edit a contact, click the Edit link next to the contact that you would like to edit. Under Email Types, select or deselect the Email types you would like to receive. Click Submit to save any changes. Please do not reply to this email.



Xerox WorkCentre (or is it HP Digital Device?) spam / SCAN_129_07082013_18911.zip

This fake printer spam has a malicious attachment:

Date:      Mon, 8 Jul 2013 12:20:24 -0500 [07/08/13 13:20:24 EDT]
From:      HP Digital Device [HP.Digital8@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: [victimdomain]
Number of Images: 8
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: OM7IEQ4M22

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/
In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com

The ThreatTrack report reveals more details [pdf] including the subsequent download locations as does the ThreatExpert report.

[donotclick]lacasadelmovilusado.com/bts1.exe
[donotclick]common.karsak.com.tr/FzPfH6.exe
[donotclick]ftp.vickibettger.com/oEoASW64.exe
[donotclick]qualitydoorblog.com/qbSTq.exe

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

64.136.115.72
66.63.204.26
68.7.103.29
76.226.114.217
77.30.83.91
78.131.54.252
84.59.131.0
85.107.90.53
87.18.47.40
90.189.37.85
94.240.240.106
95.246.170.150
107.217.117.139
108.234.133.110
180.247.156.110
181.67.52.88
190.202.83.105
200.91.49.183
201.209.58.176
212.71.16.46
217.132.249.173
221.215.31.50

Recommended blocklist:
gfpmenusonline.com
gfponlineordering.com
solarrec-auction.com
chapter2weddings.com
pecoprocurement.com
2brothersdelimenu.com
2ndtimearoundweddingphotography.com
bobkahnvideo.com
lacasadelmovilusado.com
common.karsak.com.tr
ftp.vickibettger.com
qualitydoorblog.com
64.94.100.116
198.173.93.218
212.58.2.22

Monday, 8 July 2013

sendgrid.me / amazonaws.com spam

This spam is unusual in that it comes through an apparently genuine commercial email provider (sendgrid.me) and leads to malware hosted on Amazon's cloud service, amazonaws.com. There is no body text in the spam, just an image designed to look like a downloadable document.

from:     [victim] via sendgrid.me
date:     8 July 2013 19:08
subject:     Urgent 6:08 PM 244999
Signed by:     sendgrid.me

The email appears to originate from 138.91.78.32 which is a Microsoft IP, so that part of the mail header might be faked. It certainly comes through 208.117.55.132 (o1.f.az.sendgrid.net)

The text at the bottom says "Please find attached the document." but actually leads to a malicious executable at [donotclick]s3.amazonaws.com/ft556/Document_948357853____.exe [https] (VirusTotal report) which then downloads a further executable from [donotclick]s3.amazonaws.com/mik49/ss32.exe [http] (VirusTotal report) which installs itself into C:\Documents and Settings\Administrator\Application Data\ss32.exe.

ThreatExpert reports that the downloader (the first executable) is hardened against VM-based analysis:
Is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).
Anubis, Comodo CAMAS, Malwr and ThreatTrack give various clues as to what the downloader is doing.

The second part (ss32.exe) attempts to lookup a server called mssql.maurosouza9899.kinghost.net 177.185.196.130 (IPV6 Internet Ltda, Brazil) according to CAMAS and Anubis identifies an attempted connection to bit.ly/15aDtjB  which attempts to connect to an unregistered domain of www.mdaijdasid.com (report here). Malwr gives some further information on system changes as does ThreatTrack. ThreatExpert reports seeing Themida again.

Quite what the second part of the malware does is unclear, and it may simply be that the mdaijdasid.com hasn't been registered quite yet but will be later. VirusTotal does report some other badness on 177.185.196.130 so this is probably worth blocking.

Recommended blocklist:
177.185.196.130
mssql.maurosouza9899.kinghost.net
mdaijdasid.com
s3.amazonaws.com/mik49/
s3.amazonaws.com/ft556/
bit.ly/15aDtjB

Amex spam / americanexpress.com.krasalco.com

This fake Amex spam leads to malware on americanexpress.com.krasalco.com:

    
From: American Express [mailto:AmericanExpress@emalsrv.aexpmail.org]
Sent: 08 July 2013 15:00
Subject: Account Alert: A Payment Was Received


Check your account balance online at any time


   

    Hello, [redacted]
            



________________________________________    View Account

Make a Payment

   
Manage Alerts Preferences





Payment Received   

________________________________________    Check Balance



   
   
       
We received a payment for your Card account.

     Date Received:
         Mon, Jul 08, 2013
     Payment Amount:
         $2,511.92

Payments received after 8PM MST may not be credited until the next day. Please allow 24-48 hours for your payment to appear online.

Thank you for your Cardmembership.

American Express Customer Care

Was this e-mail helpful? Please click here to give us your feedback.

If you'd like to stop receiving this alert, simply click here.
   
   




Like Us on Facebook


Follow Us on Twitter


Subscribe to our channel


Share with Foursquare friends

   
       
    Contact Us
|    Privacy Statement
|    Add us to your address book


Your Cardmember information is included in the upper-right corner to help you recognize this as a customer service e-mail from American Express. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us via customer service.

© 2013 American Express. All rights reserved.

AU0S0RF76947278       


The link in the email goes through a legitimate hacked site to end up on a malicious landing page at [donoclick]americanexpress.com.krasalco.com/news/slightly_some_movie.php (report here) hosted on the following IPs:

77.240.118.69 (Acens Technologies, Spain)
103.9.23.34 (TPL Trakker Ltd, Pakistan)
151.155.25.111 (Novell Inc, US)
202.28.69.195 (Uninet, Thailand)

Blocklist:
77.240.118.69
103.9.23.34
151.155.25.111
202.28.69.195
afabind.com
americanexpress.com.krasalco.com
aniolyfarmacij.com
chinadollars.net
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
first4supplies.net
gindonszkjchaijj.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
meynerlandislaw.net
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com
spanishafair.com
vahvahchicas.ru

Friday, 5 July 2013

EBC "Password Reset Confirmation" spam / paynotice07.net

This fake password reset spam leads to malware on paynotice07.net:

From: EBC_EBC1961Registration@ebank6.secureaps.com
Sent: 05 July 2013 12:27
Subject: Password Reset Confirmation


Your Online Bankking password was successfully changed on 07/05/2013. If you did not make this change, or if you have any questions, please contact EBC Technical Support using this link.

Support is available Monday - Friday, 8 AM to 8 PM CST.

This is an automated message, please do not reply. Your message will not be received.
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************ 
The link goes through a legitimate hacked site and ends up on a payload at [donotclick]paynotice07.net/news/must-producing.php (report here) hosted on the following IPs:

189.84.25.188 (DataCorpore Serviços e Representações, Brazil)
202.28.69.195 (Walailuk University, Thailand)

Blocklist:
189.84.25.188
202.28.69.195
afabind.com
aniolyfarmacij.com
condalinneuwu5.ru
condalnua745746.ru
ehnihjrkenpj.ru
ehnihujasebejav15.ru
gnanisienviwjunlp.ru
grivnichesvkisejj50.ru
patrihotel.net
paynotice07.net
pinterest.com.reports0701.net
reports0701.net
reveck.com
sartorilaw.net
sendkick.com
smartsecurity-app.com

Thursday, 4 July 2013

Mystery spam leads to Emailmovers Ltd (emailmovers.com / emvrs.co)

Some time ago I received a spam sent to a scraped email address promoting email marketing services (i.e. spam) which features fake contact details and a carefully anonymised web site at prospectdirect.org that shielded the identity of the spammers.

So who was behind this spam? Well, the easiest way to find out was to pretend to be interested. I filled in the contact form on the site and eventually got a reply from an outfit called Email Movers Ltd. Now, let's be clear - I don't know 100% that Email Movers were responsible for sending the original spam, but somehow my "lead" ended up with this UK-based marketing company.

The enquiry I made was about PPI leads, the mainstay of many sleazy marketing outfits.  The response I got was as follows:

From:     Jonathan Coleman [jonathan.coleman@emailmovers.com]
Date:     23 May 2013 11:06
Subject:     RE - PPI Leads

Hi [redacted],

Thank you for your enquiry. We have excellent PPI data consisting of over 1 million contacts.

The database consists of UK consumers who have taken out a loan within the last 6 years with a payment protection policy attached to the loan. We have called each consumer from a 300 seat call centre in order to verify these details. The flat file we used in order to contact these consumers was originally one of the country’s largest loan packagers completion files.


Available:
Data Name
Home address
Postcode
Landline telephone number
Mobile telephone number

Selections:
Available 300+ selections available via our syndicated multiple overlay platform.
Example selections include:
Credit rating
Credit history
Credit ac
-----------------------------------------------------------------

The data doesn't get released, we will conduct the email broadcast for you. Min order value applies, no less than 50 000 records and it is £1650. Other volumes are priced as following:

50,000 at £1650 + VAT
100,000 at £1990 + VAT
250,000 at £2700 + VAT
500,000 at £4300 + VAT
1 Million at £8000 + VAT

What do you think?

Jonathan Coleman

Senior Account Manager

D: +44 (0)1723 800022
T: +44 (0)845 226 7181
   

Trusted email validation Try Email Inspector  |   Targeted Marketing at a click Try Countrunner

Emailmovers Ltd, Pindar House, Thornburgh Road, Scarborough, North Yorkshire, YO11 3UY UK

Registered in England No. 5046417. Registered office: Medina House, No 2 Station Avenue, Bridlington, YO16 4LZ. United Kingdom.
View email disclaimer

This email comes from an emailmovers.com address with a link to a website emvrs.co. The email originates from a Google IP, so no real clue as to its origin.

Emailmovers have been around for quite a while, but they had attracted quite a lot of adverse comments for spam [1] [2] [3] [4] [5] [6] [7] [8] [9]. They have quite a lot of websites too, in addition to emailmovers.com and emvrs.co, but one in particular caught my eye.. the domain emailinspector.co.uk which is an "email validation" service. Check out the last paragraph in particular:
Email databases decay at an alarming rate. It is imperative to keep your data as accurate and as clean as possible to maintain a good sender reputation and improve the deliverability of your email list.

Email Inspector is a revolutionary new way of updating and cleansing your email addresses without risking blacklisting your IP. This online service allows you to upload bulk lists of email addresses to check for bounces, wrong addresses and duplicates and leaves you with a clean and up-to-date list that is ready for use.

We can also take your database in-house for further analysis to strip out known complainers and run it against our master spam trap file in our full bureau service.


There's another word for this process.. ListWashing. Legitimate mailing lists should never contain spamtrap data, this is only of use if dealing with scraped or malware-harvested email addresses. Exactly what sort of customers is Emailmovers after with a service like this?

The company QuotesPlease Ltd appears to be largely the same operation, with the same personnel and at the same address.

They own several other domains, at least one of which (email-databases.com) has been hacked (see report), also bizibuy.com has been compromised and defaced. theemailexpert.com has also been defaced recently. I don't know if those server contained any personally identifiable data or not.

Perhaps Emailmovers contracted out the lead generation to another party and buy those leads in good faith. I'm sure you can make up your own mind as to how likely that is.

These following domains all appear to belong to Emailmovers Ltd or QuotesPlease Ltd, do with them what you want:
5mins.co.uk
5mins.info
5minsmail.com
5mins-mail.com
5minsmail.net
5mins-mail.net
5mins-mail.org
5mins-ppm.com
5mins-update.com
b2bcompanylist.com
b2bemaillistsuk.com
b2bmailinglistsuk.com
b2bmarketingcompanieslist.com
bestemailmarketinglists.com
bizibuy.biz
bizibuy.com
businessmailinglistsuk.com
callmovers.co.uk
coastline-gallery.com
companiesthatsellemaillists.com
consumeremaillistsuk.com
countrunner.com
dataseeder.com
dataseeder.net
dataseeder.org
emailappending-emailmovers.com
emailcleansing.com
email-databases.com
emailinspector.info
emailinspector.net
emailinspector.org
emailliststobuy.com
emailmarketingconsultancy.com
emailmarketingconsultation.com
emailmovers.com
emm-mail.org
emm-news.com
ems300live.com
emvrs.co
enudge.com
freewordpresstemplates.biz
grannymave.co.uk
likemovers.com
mailinglistuk.com
onlinebusinessecards.com
quotesplease.co.uk
seedalert.com
socialmediaslot.com
theemailexpert.com
ukconsumeremaildatabase.com
ukconsumeremaillist.com
ukemaildata.com
workmug.com

Added: these following domains are also in use for the inital spam, plus there are more details on the comments section:
parkconnect.net
simplequotes.net

Added (II):  some more domains these spammers use can be found here.