Sponsored by..

Wednesday, 13 November 2013

PayPal "Identity Issue" spam / Identity_Form_04182013.zip

This fake PayPal (or is it Quickbooks?) spam has a malicious attachment:

Date:      Wed, 13 Nov 2013 02:27:39 -0800 [05:27:39 EST]
From:      Payroll Reports [payroll@quickbooks.com]
Subject:      Identity Issue #PP-679-223-724-838

We are writing you this email in regards to your PayPal account. In accordance with our
"Terms and Conditions", article 3.2., we would like to kindly ask you to confirm your
identity by completing the attached form. Please print this form and fill in the
requested information. Once you have filled out all the information on the form please
send it to verification@paypal.com along with a personal identification document
(identity card, driving license or international passport) and a proof of address
submitted with our system ( bank account statement or utility bill )

Your case ID for this reason is PP-TEBY66KNZPMU

For your protection, we might limit your account access. We apologize for any
inconvenience this may cause.

Thanks,

PayPal

CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information belonging to the sender (PayPal , Inc.) that is
proprietary, privileged, confidential and/or protected from disclosure under applicable
law. If you are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distributions of this electronic message are violations of federal
law. Please notify the sender of any unintended recipients and delete the original
message without making any copies.  Thank You

PayPal Email ID PP89759 

Attached is a file Identity_Form_04182013.zip which in turn contains Identity_Form_04182013.exe which has an icon to make it look like a PDF file.

The detection rate for this at VirusTotal is 9/47, automated analysis tools [1] [2] [3] shows an attempted connection to signsaheadgalway.com on 78.137.113.21 (UKfastnet Ltd, UK) which is the same server used in this attack, so you can safely assume that the whole server is compromised and I recommend that you block that particular IP.

"Rodrigo Sawyer and Associates" fake job offer

This laughable primitive fake job offer is recruiting for money mules, package reshipping or some other scam.

From:     RSA-CAREER! [anthonykather1@gmail.com]
Reply-To:     anthonykather1@gmail.com
Date:     12 November 2013 20:43
Subject:     please read


Hi...
  We Have a PT/job. we pay $250 per job and we want you to participate.
Your job is only to act as a regular customer and conduct normal business, Customer service is valuable.

If interested,send the information below after which we would send you an application form

   1. FuII N4ME :
   2. FullAdress :
   3. Stte | Cty :
   4. CodZ!p :
   5. Phones :
   6.Alternate E-mail:
   7. O.c.c.u.p.a.t.i.o.n :

Your response would be greatly appreciated.

Sincerely,
Rodrigo sawyer and associates.
Originating IP is pro1042.server4you.de [62.75.181.174]. Avoid.

Tuesday, 12 November 2013

"2012 and 2013 Tax Documents; Accountant's Letter" spam / tax 2012-2013.exe

This fake tax spam comes with a malicious attachment:

Date:      Wed, 13 Nov 2013 00:44:46 +0800 [11:44:46 EST]
From:      "support@salesforce.com" [support@salesforce.com]
Subject:      FW: 2012 and 2013 Tax Documents; Accountant's Letter

I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2012 and 2013, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission. 
Attached to the file is a ZIP file called dlf2365.zip which contains a malicious executable file tax 2012-2013.exe which has an icon to make it look like a PDF file.

VirusTotal detection rates are 17/47. Automated analysis tools [1] [2] show an attempted connection to nishantmultistate.com on 216.157.85.173 (Peer 1, US). This is the same server as used in this attack, and you can safely assume that the whole server is compromised. Blocking this IP is probably a good idea.




"Important - New Outlook Settings" spam / Outlook.zip

This spam email has a malicious attachment:

Date:      Tue, 12 Nov 2013 16:22:38 +0100 [10:22:38 EST]
From:      Undisclosed Recipients
Subject:      Important - New Outlook Settings

Please carefully read the attached instructions before updating settings.

This file either contains encrypted master password, used to encrypt other files. Key archival has been implemented, in order to decrypt the file please use the following password: PaSdIaoQ

This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk@victimdomain and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. 
The body text of the spam contains a faked email address made to look like helpdesk@ the victim's domain. Attached to the email is a password-protected ZIP file Outlook.zip that has to be decoded with the PaSdIaoQ key in the body text of the email (hopefully intelligent people will realise that you wouldn't send the password with the encrypted attachment.. you'd have to be really daft to do that).

Unzipping the file gives a malicious executable Outlook.exe which has an icon designed to look like Microsoft Outlook.

The detection rate at VirusTotal is 5/45. Automated analysis tools [1] [2] show an attempted connection to dchamt.com on 216.157.85.173 (Peer 1 Dedicated Hosting, US). That IP address contains about 70 websites which may or may not be clean.

"You have received new messages from HMRC" spam, HMRC_Message.zip and qualitysolicitors.com

This fake HMRC spam comes with a malicious attachment. Because the spammers have copied-and-pasted the footer from somewhere random it also effectively joe jobs an innocent site called qualitysolicitors.com:

Date:      Tue, 12 Nov 2013 05:29:28 -0500 [05:29:28 EST]
From:      "noreply@hmrc.gov.uk" [noreply@hmrc.gov.uk]
Subject:      You have received new messages from HMRC

Please be advised that one or more Tax Notices (P6, P6B) have been issued.

For the latest information on your Tax Notices (P6, P6B) please open attached report.

Please do not reply to this e-mail.

1.This e-mail and any files or documents transmitted with it are confidential and
intended solely for the use of the intended recipient. Unauthorised use, disclosure or
copying is strictly prohibited and may be unlawful. If you have received this e-mail in
error, please notify the sender at the above address and then delete the e-mail from your
system. 2. If you suspect that this e-mail may have been intercepted or amended, please
notify the sender. 3. Any opinions expressed in this e-mail are those of the individual
sender and not necessarily those of QualitySolicitors Punch Robson. 4. Please note that
this e-mail and any attachments have been created in the knowledge that internet e-mail
is not a 100% secure communications medium. It is your responsibility to ensure that they
are actually virus free. No responsibility is accepted by QualitySolicitors Punch Robson
for any loss or damage arising from the receipt of this e-mail or its contents.
QualitySolicitors Punch Robson: Main office 35 Albert Road Middlesbrough TS1 1NU
Telephone 01642 230700. Offices also at 34 Myton Road, Ingleby Barwick, Stockton On Tees,
TS17 0WG Telephone 01642 754050 and Unit E, Parkway Centre, Coulby Newham, Middlesbrough
TS8 0TJ Telephone 01642 233980 VAT no. 499 1588 77. Authorised and regulated by the
Solicitors Regulation Authority (57864). A full list of Partners names is available from
any of our offices. For further details, please visit our website
http://www.qualitysolicitors.com/punchrobson
Perhaps the spammers were as irritated by the overblown mail footer as I was. Anyway, there's a ZIP file called HMRC_Message.zip which in turn contains a malicious executable HMRC_Message.exe which has a VirusTotal detection rate of 12/47.

Automated analysis tools [1] [2] show that it attempts to communicate with alibra.co.uk  on 78.137.113.21 (UKfastnet Ltd, UK) and then it attempts to download additional components from:

[donotclick]synchawards.com/a1.exe
[donotclick]itcbadnera.org/images/dot.exe

a1.exe has a detection rate of 16/47, and Malwr reports further HTTP connections to:
[donotclick]59.106.185.23/forum/viewtopic.php
[donotclick]new.data.valinformatique.net/5GmVjT.exe
[donotclick]hargobindtravels.com/38emc.exe
[donotclick]bonway-onza.com/d9c9.exe
[donotclick]friseur-freisinger.at/t5krH.exe

dot.exe has a much lower detection rate of 6/47, ThreatExpert, ThreatTrack [pdf] and Malwr report various types of activity including keylogging and credential harvesting. There are also many, many HTTP connections to various hosts, I suspect this is attempting to mask the actual C&C servers it is connecting to.

a1.exe downloads several more files, all of which appear to be the same. The VirusTotal detection rate for these is 5/47, Malwr reports several attempted IP connections that look a bit like peer-to-peer Zeus.

Recommended blocklist:
59.106.185.23
new.data.valinformatique.net
hargobindtravels.com
bonway-onza.com
friseur-freisinger.at
synchawards.com
itcbadnera.org
alibra.co.uk


Dynamic DNS sites you might want to block, 12/11/13

These domains are used for dynamic DNS and are operated by a company called Dyn who offer a legitimate service, but unfortunately it is abuse by malware writers. If you are the sort of organisation that blocks dynamic DNS IPs then I recommend that you consider blocking the following.

Dyn are pretty good at dealing with abuse complaints (you can contact them here). Blocking these domains will block some legitimate sites, primarily webcams and access to home PCs.. so bear this in mind if you choose to do so.

Sites below listed in yellow  have been identified as having some malware by Google, ones listed in red are blocked by Google. Ones listed in italics are flagged as malicious by SURBL. The links go to the Google diagnostic page.

at-band-camp.net
barrel-of-knowledge.info
barrell-of-knowledge.info
besteverydns.com
better-than.tv
bitferret.com
bitferret.net
bitferret.org
blogdns.com
blogdns.net
blogdns.org
blogsite.org
boldlygoingnowhere.org
broke-it.net

buyshouses.net
cechire.com
certaindns.com
certaindns.net
certaindns.org
damnserver.org
ddns-example-1.com
ddns-example-2.com
ddns-example-3.com
depower2go.com
dinedns.com
dinedns.net
dinedns.org
dns-gateway.net
dnsalias.com
dnsalias.net
dnsalias.org

dnscog.org
dnsdojo.com
dnsdojo.net
dnsdojo.org
dnsforall.net
dnsforall.org
dnsinc.org
dnssettings.com
dnssettings.info
dnssettings.net
dnssettings.org
dnssetup.info
does-it.net
doesntexist.com
doesntexist.org
dontexist.com
dontexist.net
dontexist.org
doomdns.com
doomdns.org
dvrdns.org
dyn-o-saur.com
dynalias.com
dynalias.net
dynalias.org

dynamic-dns-server.org
dynathome.net
dyndn.org
dyndns.biz

dyndns.cn
dyndns.info
dyndns.tv
dyndns.ws

dynds.org
dyndsn.net
dyndsn.org
editdns.net
edudns.org
est-a-la-maison.com
est-a-la-masion.com
est-le-patron.com
est-mon-blogueur.com
everydns.com
everydns.net
for-better.biz
for-more.biz
for-our.info
for-some.biz
for-the.biz
from-ak.com
from-al.com
from-ar.com

from-az.net
from-ca.com
from-co.net
from-ct.com
from-dc.com
from-de.com
from-fl.com
from-ga.com
from-hi.com

from-ia.com
from-id.com
from-il.com
from-in.com
from-ks.com

from-ky.com
from-la.net
from-ma.com
from-md.com
from-me.org
from-mi.com
from-mn.com
from-mo.com

from-ms.com
from-mt.com
from-nc.com
from-nd.com
from-ne.com
from-nh.com
from-nj.com
from-nm.com
from-nv.com

from-ny.net
from-oh.com
from-ok.com
from-or.com
from-pa.com
from-pr.com
from-ri.com
from-sc.com
from-sd.com
from-tn.com
from-tx.com
from-ut.com
from-va.com
from-vt.com
from-wa.com
from-wi.com
from-wv.com
from-wy.com
ftpaccess.cc
fuettertdasnetz.de
game-host.org
game-server.cc
getmyip.com
gets-it.net
gotdns.co.uk
gotdns.com
gotdns.org
groks-the.info
groks-this.info
guilded.org
ham-radio-op.net
here-for-more.info
hobby-site.com

hobby-site.org
homedns.org
homeftp.net
homeftp.org
homeip.net
homelinux.com
homelinux.net
homelinux.org
homeunix.com
homeunix.net
homeunix.org

in-the-band.net
invaliddns.com
ipupdate.org
is-a-anarchist.com
is-a-blogger.com
is-a-bookkeeper.com

is-a-bruinsfan.org
is-a-candidate.org
is-a-caterer.com
is-a-celticsfan.org
is-a-chef.com
is-a-chef.net

is-a-chef.org
is-a-conservative.com
is-a-cpa.com
is-a-cubicle-slave.com
is-a-democrat.com
is-a-designer.com
is-a-doctor.com

is-a-financialadvisor.com
is-a-geek.com
is-a-geek.net
is-a-geek.org

is-a-green.com
is-a-guru.com
is-a-hard-worker.com
is-a-hunter.com
is-a-knight.org

is-a-landscaper.com
is-a-lawyer.com
is-a-liberal.com
is-a-libertarian.com
is-a-linux-user.org
is-a-llama.com
is-a-musician.com
is-a-nascarfan.com
is-a-nurse.com
is-a-painter.com
is-a-patsfan.org
is-a-personaltrainer.com
is-a-photographer.com
is-a-player.com
is-a-republican.com
is-a-rockstar.com
is-a-socialist.com
is-a-soxfan.org
is-a-student.com

is-a-teacher.com
is-a-techie.com
is-a-therapist.com
is-an-accountant.com
is-an-actor.com

is-an-actress.com
is-an-anarchist.com
is-an-artist.com
is-an-engineer.com
is-an-entertainer.com
is-by.us
is-certified.com
is-found.org
is-gone.com
is-into-anime.com
is-into-cars.com
is-into-cartoons.com
is-into-games.com
is-leet.com
is-lost.org
is-not-certified.com
is-saved.org
is-slick.com
is-uberleet.com
is-very-bad.org
is-very-evil.org
is-very-good.org
is-very-nice.org
is-very-sweet.org
is-with-theband.com
isa-geek.com
isa-geek.net
isa-geek.org
isa-hockeynut.com
issmarterthanyou.com
isteingeek.de
istmein.de
it-geek.net
kicks-ass.net
kicks-ass.org
knowsitall.info
land-4-sale.us
lebtimnetz.de
leitungsen.de
likes-pie.com
likescandy.com
listhop.com
listhop.net
listhop.org
merseine.nu
mine.nu
misconfused.org
mydyndns.biz
mydyndns.com
mydyndns.info
mydyndns.net
mydyndns.org
mypets.ws
myphotos.cc
neat-url.com
no-ip.tv
office-on-the.net
on-the-web.tv
podzone.net
podzone.org
readmyblog.org
revyxorp.com
saves-the-whales.com
scrapper-site.net
scrapping.cc
scriptkiddie.net
sec-dns.net
secondary.net
selfip.biz
selfip.com
selfip.info
selfip.net
selfip.org
sells-for-less.com
sells-for-u.com
sells-it.net
sellsyourhome.org
servebbs.com
servebbs.net
servebbs.org
serveftp.net
serveftp.org
servegame.org
shacknet.nu
simple-url.com
smallbizdns.com
smallbizdns.net
smallbizdns.org
space-to-rent.com
stuff-4-sale.org
stuff-4-sale.us
teaches-yoga.com
thruhere.net
tomdaly.org
traeumtgerade.de
webhop.biz
webhop.info
webhop.net
webhop.org
worse-than.tv
writesthisblog.com


Monday, 11 November 2013

"Consumer Benefit Ltd" adware sites to block

A couple of network blocks came to my attention after investigating some adware ntlanmbn.exe (VirusTotal report) and GFilterSvc.exe (report) both in C:\WINDOWS\SYSTEM32.

The blocks are 212.19.36.192/27 and 82.98.97.192/28 and are allocated to:

netname:        Consumer-Benefit-AV-NET
descr:          Consumer Benefit LTD
descr:          Suite F 1st floor, New City Chambers
descr:          36 Wood Street
descr:          WF1 2HB Wakefield
country:        GB
admin-c:        KH2166-RIPE
tech-c:         PLN
status:         ASSIGNED PA
mnt-by:         PLUSLINE-MNT
source:         RIPE # Filtered


The problem is that there is no active company in the UK called Consumer Benefit Ltd.. there was a short-lived Manchester company number 06505446 which was dissolved in 2011, but I can't find any evidence that they are connected other than the similar name.

Many of the domains currently or recently hosted in these IP ranges are clearly deceptive in nature (e.g. awsmazon.com, tradesdoubler.com, ebayrt.com, zanox-afiliate.com) and these use pseudo-anonymous WHOIS details also using the Wakefield address:

Registry Registrant ID:
Registrant Name: whois Protect Service
Registrant Organization:
Registrant Street: Suite F 1st floor, New City,
Registrant Street: Chambers, 36 Wood Street
Registrant City: Wakefield
Registrant State/Province: GB
Registrant Postal Code: WF1 2HB
Registrant Country: GB
Registrant Phone: +44.7077087721
Registrant Phone Ext:
Registrant Fax: +44.7077087502
Registrant Fax Ext:
Registrant Email: whois@sl.to


One .com using services in this range with apparently genuine details is ns-lookups.com:

Registry Registrant ID:
Registrant Name: Andrea Bégerová
Registrant Organization: BA Market Slovakia s. r. o.
Registrant Street: Klincová 37/B
Registrant City: Bratislava
Registrant State/Province: Slovenská Republika
Registrant Postal Code: 821 08
Registrant Country: SK
Registrant Phone: +421.259348122
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@bam-sk.com


Also hosted are some .to domains with anonymous registration, plus some German domains the only one of which with reliable WHOIS details seems to be gutscheinfilter.de registered to:

Type: PERSON
Name: Frank Dümpelmann
Organisation: Domport GmbH & Co KG
Address: Markt 32
PostalCode: 18273
City: Güstrow
CountryCode: DE
Phone: +49-9001-118840
Fax: +49-9001-118860
Email: adminc@domport.de


Domport seem to be invovled in domain parking and they have their own range of 212.19.39.192/28 that they use for this.

The adware in question attempted to call home to the following URLs:
f05e0362515f5125.srv.gutscheinfilter.de
dce645501bc1af9f.srv.ns-lookups.com
a.ns-lookups.com/updatecheck

Anyway, the following domains and IPs are all part of these "Consumer Benefit Ltd ranges and appear to be adware-related and have unclear ownership details. If you block adware sites on your network then I would recommend using the following blocklist:
212.19.36.192/27
82.98.97.192/28
awsmazon.com
beelboon.com
htmladserver.com
tradesdoubler.com
ad-googlelinks.com
zanox-afiliate.com
linktrackingnet.com
googlesyntication.com
ns-lookups.com
download-web-shield.com
linkvista.de
adcall.de
gutscheinfilter.de
ebayrt.com
score.to
uses.to
vill.to
howto.to
setup.to
thats.to
trans.to
public.to
public-load.com
goal.to
vree.to
64-up.to
feeds.to
stopp.to
64-bit.to
hunter.to
trends.to
win-64.to
maps-24.to

Sunday, 10 November 2013

"African Development Humanitarian Council" (adhcouncil.org) scam

This spam promotes the non-existent African Development Humanitarian Council purportedly with a web address of adhcouncil.org:

From:     camara amadu [camaraamadu9@gmail.com]
To:     davisaentltd@rediffmail.com
Date:     10 November 2013 14:23
Subject:     FOOD STUFF NEEDED URGENTLY
Signed by:     gmail.com

African Development Humanitarian Council
http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http://www.adhcouncil.org.
Is ready to purchase the listed bellow foodstuffs.

1.Rice

2. Beans

3. Milk

4. Sugar

5. Vegetable Oil

6. Onion

7. Cement


As an authorised foodstuffs agent. This is 2013 foodstuffs supply
contract project from African Development Humanitarian Council
http://www.rediffmail.com/cgi-bin/red.cgi?account_type=1&red=http://www.adhcouncil.org.
The foodstuffs is for the sustenance of refugees of war affected
countries, Like Côte d'Ivoire, Somalia, Sudan, Liberia and others.

Payment has been made to be 100% full payment by Telegraphic swift
Transfer (T/T) after signing of the contract agreement with the
contract awarding board of directors in Mali.

If your Company can supply any of these products please reply me, then
I will help you to get the contract through my office. You will
receive the complete payment of the contract value before shipping
your goods. Port of destination is TOGO LOME Sea Port.


Best Regards,

Mr. Camara
Tel..........+223 71878900
Skype......amadu.camara36
The email solicits replies to camaraamadu9@gmail.com and was sent to a spam trap. The "African Development Humanitarian Council" does not exist (although there are many agencies with similar names) and the domain adhcouncil.org was registered in April with fake WHOIS details. Of course, the spammer might not be associated with the domain name, but in any case the whole lot is some sort of scam and should be avoided.

It's hard to say exactly what the scam is. Probably some sort of advanced fee fraud, but in any case you should ignore this particular solicitation.

Friday, 8 November 2013

"Voicemail Message" spam / MSG00049.zip and MSG00090.exe

Another day, yet another fake voicemail message spam with a malicious attachment:
Date:      Fri, 8 Nov 2013 15:15:20 +0000 [10:15:20 EST]
From:      Voicemail [user@victimdomain.com]
Subject:      Voicemail Message

IP Office Voicemail redirected message 
Attached is a file MSG00049.zip which in turn contains a malicious executable MSG00090.exe. Virus detection on VirusTotal is a so-so 12/47. Automated analysis [1] [2] shows an attempted connection to seminyak-italian.com on 198.1.84.99 (Unified Layer / Websitewelcome, US). There are 7 or so legitimate sites on that server, I cannot vouch for them being safe or not.

Malware sites to block 8/11/2013 (Nuclear EK)

The IPs and domains listed below are currently in use to distribute the Nuclear exploit kit (example). I strongly recommend blocking them or the 142.4.194.0/30 range in which these reside. Many (but not all) of them are already flagged as being malicious by SURBL and Google.

The domains are being used with subdomains, so they don't resolve directly. I have identified 3768 domains in this OVH range, allocated to:

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     430000
Country:        RU
RegDate:        2013-08-12
Updated:        2013-08-12
Ref:            http://whois.arin.net/rest/customer/C04668267


(Hat tip to a contact who originally flagged the infection up, I just added a bit more research. If you're reading this you know who you are)

The subdomains can found in this file [csv] but as it is almost definitely incomplete it is simpler to use the blocklist below:
142.4.194.0/30
alertoriginal.biz
ardaymarvl.biz
assayimagination.biz
assessdiscover.biz
atrlook.biz
atrprinc.biz
batillbicdaylook.biz
bombepear.biz
briefthink.biz
browseimagine.biz
canadadayglamorou.biz
checkimagine.biz
chinesenewyearglamorous.biz
chinnwyarlook.biz
cincodmayogold.biz
clipalarm.biz
columbusdaygold.biz
comonautham.biz
comthytria.biz
comtwary.biz
cratranticipation.biz
custardpeach.biz
electiondaypretty.biz
examinevisionary.biz
flagdayfahionabl.biz
fluagdaychic.biz
grandparntdaycharming.biz
guyfawkdayfahionabl.biz
guyfawkdaylganc.biz
hallowbicndram.biz
inspectionimagination.biz
judgebegin.biz
lctiondaycoutur.biz
lctiondayfabulou.biz
lctiondayglamour.biz
likeinspire.biz
likeinvent.biz
lincolnbirthdaydazzl.biz
lookbackstrategy.biz
magicbizic.biz
mardigrapopular.biz
markstrategy.biz
martinlutherkingdaycharm.biz
maydayheavenly.biz
maydaylganc.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
mothrdayglamour.biz
muttnikcontntmnt.biz
newyearsevefashion.biz
newyearsevemagical.biz
nwyardayclay.biz
pacincurity.biz
plantabicrycontntmnt.biz
pridntdaynchant.biz
purimcharming.biz
radiationamumnt.biz
randayflar.biz
rangeinvent.biz
rangelab.biz
reviewimagination.biz
ringupn.biz
rohhahanahfabulou.biz
rohhahanahway.biz
scanbegin.biz
sundaebanana.biz
tlmtrygrumpy.biz
tortekiwi.biz
valentinesdaypearl.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
waxqgturumph.biz
yomkippurdashing.biz
yvanity.biz
zabicoconut.biz


Thursday, 7 November 2013

Fake "Financial Times Survey Team" spam / ft-survey.com and AlfainHost

This fake Financial Times spam is a bit of a mystery:

From: The Financial Times [mailto:ft448516@surveymonkey.com]
Sent: Thu 07/11/2013 18:58
Subject: We value your opinion and we need your help


Dear British businessman,

We at the Financial Times are doing a survey among British business owners and managers regarding Euroscepticism.

As you are currently aware David Cameron on Monday confronted critics in his party who want to withdraw from the EU and close Britains borders, arguing there was no use hiding away from the world. And a lot more will follow.

We are contacting as many subscribers and people who commented on our business related articles to ask for their own opinion.

If you would like to be heard and help us build an article that will be on the first page in the next few weeks please help us.

Send us an E-mail at eu@ft-survey.com with the following information:

If your business is connected by import or export with the European Union, if it is Export please add us a few more details like what do you sell, or the services you provide;
What countries do you trade within the European Union;
Your opinion on Euroscepticism and the effect it has on your business;

Thank you so much for your help and contribution.

The Financial Times Survey Team,
eu@ft-survey.com
There are no links in the email apart from a mailto: for the email address, and there are no attachments. The email was sent to a UK user and concerns a matter specific to people in the UK, so it appears to be targeted in some way.

So, what's wrong with this email? Let's start by looking at the domain ft-survey.com which was registered just one day ago on 6th November to a registrant using the Panamanian privatewhois.net service to hide their details. The real Financial Times site at ft.com clearly identifies its owner. If you visit ft-survey.com (not recommended) then you get a 302 redirect to the legitimate ft.com website.

Next, ft-survey.com is hosted and receives mail on 204.188.238.143 which nominally belongs to some outfit called Sharktech in Las Vegas, but is actually suballocated to a customer in Pakistan:

%rwhois V-1.5:003eff:00 rwhois.sharktech.net (by Network Solutions, Inc. V-1.5.9.6)
network:Auth-Area:204.188.192.0/18
network:Class-Name:network
network:OrgName:AlfainHost
network:OrgID;I:MADIH-ULLAH-RIAZ
network:Address:Clifton Court #16
network:City:Karachi
network:StateProv:Sindh
network:PostalCode:74400
network:Country:PK
network:NetRange:204.188.238.140 - 204.188.238.143
network:CIDR:204.188.238.140/30
network:NetName:AlfainHost-204.188.238.140
network:OrgAbuseHandle:MADIH-ULLAH-RIAZ
network:OrgAbuseName:ABUSE department
network:OrgAbusePhone:923218913810
network:OrgAbuseEmail:madihrb@alfainhost.com
network:OrgNOCHandle:NOC2002-ARIN
network:OrgNOCName:Network Operations Center
network:OrgNOCPhone:+1-312-846-7642
network:OrgNOCEmail:abuse@sharktech.net
network:OrgTechHandle:TMT-ARIN
network:OrgTechName:Tim Timrawi
network:OrgTechPhone:+1-312-846-7642
network:OrgTechEmail:timt@sharktech.net
network:RegDate:20130723
network:Updated:20131106


It would be unlikely that the Financial Times would be using such a small outfit. Furthermore, 204.188.238.143 appears to contain a number of scam domains that look like phishing or money mule recruitment sites, as indeed does the entire 204.188.238.140/30 block.. more of which below.

The email headers are also suspect, and appear to show an originating IP of 94.21.75.226 (A Digi Ltd Customer in Hungary) mis-using a PHP script on rockyourworldsummit.com 66.147.242.87 (Unified Layer, US) which then bounces mail through a mailserver on 67.222.51.224 (also Unified Layer).

Received: from oproxy14-pub.mail.unifiedlayer.com (HELO oproxy14-pub.mail.unifiedlayer.com) (67.222.51.224)
  by [redacted] with SMTP; 7 Nov 2013 18:59:02 -0000
Received: (qmail 24735 invoked by uid 0); 7 Nov 2013 18:59:00 -0000
Received: from unknown (HELO box487.bluehost.com) (66.147.242.87)
  by oproxy14.mail.unifiedlayer.com with SMTP; 7 Nov 2013 18:59:00 -0000
Received: from localhost ([127.0.0.1]:41772 helo=box487.bluehost.com)
    by box487.bluehost.com with esmtp (Exim 4.80)
    (envelope-from <bigspark@box487.bluehost.com>)
    id 1VeUnD-0006y7-Se
    for [redacted]; Thu, 07 Nov 2013 11:58:59 -0700
Date: Thu, 07 Nov 2013 11:58:59 -0700
To: [redacted]
Subject: We value your opinion and we need your help
X-PHP-Script: www.rockyourworldsummit.com/wp-content/editor/help-text.php for 94.21.75.226
From:  The Financial Times <ft448516@surveymonkey.com>
Reply-To: <ft448516@surveymonkey.com>
Message-ID: <c06381c27d6d17e9f0e266ea45bae788@live.com>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Identified-User: {:box487.bluehost.com:bigspark:box487.bluehost.com} {sentby:program running on server}
X-OriginalArrivalTime: 07 Nov 2013 19:03:53.0922 (UTC) FILETIME=[1A3BE220:01CEDBEC]


The domains hosted on 204.188.238.140/30 look rather phishy and spammy, download the report here in a CSV file. WOT ratings indicate low trustworthiness, Google has identified a number of malware and phishing sites and the SURBL codes also indicate some spam and malware. However, a look at some of the domains in use will lead you in no doubt that there are a large number of phishing domains hosted in this block. I would strongly recommend that you block it.


Quite what the point of this spam is I do not know, however I suspect that answering the so-called survery will open you up to other attacks including spear phishing.



"You received a voice mail" spam / Voice_Mail.exe

This fake voice mail spam has a malicious attachment:

Date:      Thu, 7 Nov 2013 15:58:15 +0100 [09:58:15 EST]
From:      Microsoft Outlook [no-reply@victimdomain.net]
Subject:      You received a voice mail

You received a voice mail : N_58Q-ILM-94XZ.WAV (182 KB)
   
Caller-Id:
   
698-333-5643
   
Message-Id:
   
80956-84B-12XGU
   
Email-Id:
   
[redacted]

This e-mail contains a voice message.
Double click on the link to listen the message.

Sent by Microsoft Exchange Server


Attached is a zip file in the format Voice_Mail_recipientname.zip which in turn contains a malicious file Voice_Mail.exe which has an icon to make it look like an audio file. VirusTotal detection for that is 7/47 and automated analysis tools [1] [2] show an attempted connection to amazingfloorrestoration.com on 202.150.215.66 (NewMedia Express, Singapore). Note that sometimes other sites on these servers have also been compromised, so if you see any odd traffic to this IP then it could well be malicious.

Wednesday, 6 November 2013

"Voice Message from Unknown" spam / VoiceMail.zip

This fake voice mail spam comes with a malicious attachment:

Date:      Wed, 6 Nov 2013 22:22:28 +0800 [09:22:28 EST]
From:      Administrator [voice9@victimdomain]
Subject:      Voice Message from Unknown (886-966-4698)

- - -Original Message- - -

From: 886-966-4698

Sent: Wed, 6 Nov 2013 22:22:28 +0800

To: recipients@victimdomain

Subject:  Private Message 
The email appears to come from an email address on the victim's own domain and the body text contains a list of recipients within that same domain. Attached to the email is a file VoiceMail.zip which in turn contains a malicious executable VoiceMail.exe with an icon to make it look like an audio file.

This malware file has a detection rate of 3/47 at VirusTotal. Automated analysis tools [1] [2] show an attempted connection to twitterbacklinks.com  on 216.151.138.243 (Xeex, US) which is a web host that has been seen before in this type of attack.

Xeex seems to divide up its network into /28 blocks, which would mean that the likely compromised block would be 216.151.138.240/28 which contains the following domains:
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com

Those domains are consistent with the ones compromised here and it it likely that they have all also been compromised.

Recommended blocklist:
69.26.171.176/28
216.151.138.240/28
twitterbacklinks.com
saferankbacklinks.com
youtubebacklinks.com
vubby.com
abc3k.com
pinterestbacklinks.com
bookmarkingbeast.com
antonseo.com
allisontravels.com
robotvacuumhut.com
glenburnlaw.com
timinteriorsystems.com
bulkbacklinks.com
prblogcomments.com
highprlinks.com
facebookadsppc.com

"Invoice 17731 from Victoria Commercial Ltd" spam leads to DOC exploit

This fake invoice email leads to a malicious Word document:

From: Dave Porter [mailto:dave.porter@blueyonder.co.uk]
Sent: 06 November 2013 12:06
To: [redacted]
Subject: Invoice 17731 from Victoria Commercial Ltd

Dear Customer :

Your invoice is attached to the link below:
[donotclick]http://www.vantageone.co.uk/invoice17731.doc
Please remit payment at your earliest convenience.

Thank you for your business - we appreciate it very much.

Sincerely,

Victoria Commercial Ltd
The email originates from bosmailout13.eigbox.net [66.96.186.13] which belongs the Endurance International Group in the US. The malicious .DOC file is hosted at [donotclick]www.vantageone.co.uk/invoice17731.doc which appears to be a hacked legitimate web site.

Detection rates have continued to improve throughout the day and currently stand at 10/47. The vulnerability in use is CVE-2012-0158 / MS12-027. If your Word installation is up-to-date and fully patched then it should block this attack.

A sandbox analysis confirms that it is malicious, in particular it connects to 158.255.2.60 (Mir Telematiki Ltd, Russia) and the following domains:
feed404.dnsquerys.com
feeds.nsupdatedns.com

It is the same attack as described by Blaze's Security Blog and I would advise you to look at that posting for more details. In the meantime, here is a recommended blocklist:
118.67.250.91
158.255.2.60
feed404.dnsquerys.com
feeds.nsupdatedns.com
customer.invoice-appmy.com
customers.invoice-appmy.org
customer.appmys-ups.orgfeed404.dnsquerys.org
feed.queryzdnsz.org
static.invoice-appmy.com
vantageone.co.uk

Tuesday, 5 November 2013

USPS spam / Label_442493822628.zip

This fake USPS spam has a malicious attachment:

Date:      Tue, 5 Nov 2013 14:24:45 +0000 [09:24:45 EST]
From:      USPS Express Services [service-notification@usps.gov]
Subject:      USPS - Missed package delivery

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 442493822628

Print this label to get this package at our post office.

Please attention!
For mode details and shipping label please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
USPS Logistics Services.

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (UPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies.  Thank You 
The attachment is Label_442493822628.zip which in turn contains a malicious executable Label_11052013.exe which has a VirusTotal detection rate of 6/46. Automated analysis [1] [2] shows an attempted connection to sellmakers.com on 192.64.115.140 (Namecheap, US). Note that there may be legitimate sites on that IP address, however it is possible that the whole server has been compromised.


"ACH Notification : ACH Process End of Day Report" spam / ACAS1104201336289204PARA7747.zip

This fake ACH (or is it Paychex?) email has a malicious attachment:

Date:      Tue, 5 Nov 2013 08:28:30 -0500 [08:28:30 EST]
From:      "Paychex, Inc" [paychexemail@paychex.com]
Subject:      ACH Notification : ACH Process End of Day Report

Attached is a summary of Origination activity for 11/04/2013 If you need assistance
please contact us via e-mail at paychexemail@paychex.com during regular business hours.

Thank you for your cooperation.  
Attached is a file ACAS1104201336289204PARA7747.zip which in turn contains an executable ACAS11042013.exe which has a VirusTotal detection rate of 7/46. Automated analysis [1] [2] shows an attempted connection to slowdating.ca on 69.64.39.215 (Hosting Solutions International, US). There are several legitimate sites on this server, however it is possible that the server itself is compromised.

The malware drops several files, including this one with a detection rate of 4/46 that also calls home to the same domain [1] [2]  and a payload file with another low detection rate of 5/46 that rummages through the system [1] [2]. The payload appears to be a Zbot variant.



Monday, 4 November 2013

"Payment Overdue - Please respond" spam / Payroll_Report-PaymentOverdue.exe

This fake SAGE spam has a malicious attachment:

Date:      Mon, 4 Nov 2013 21:00:59 +0600 [10:00:59 EST]
From:      Payroll Reports [payroll@sage.co.uk]

Please find attached payroll reports for the past months. Remit the new payment by 11/10/2013 as outlines under our payment agreement.

Sincerely,
Bernice Swanson

This e-mail has been sent from an automated system.  PLEASE DO NOT REPLY.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. 
Attached is a file PaymentOverdue.zip which in turn contains a malicious executable Payroll_Report-PaymentOverdue.exe with a icon that makes it look like an Excel spreadsheet.

This malware has a VirusTotal detection rate of just 4/47, and automated analysis tools [1] [2] [3] shows an attempted connect to goyhenetche.com on 184.154.15.188 (Singlehop, US), a server that contains many legitimate domains but some more questionable ones too.

CCDCOE.org "Information Security Audit" spam

Here's a weird spam email..

From: CCDCOE [mailto:ccdcoe@ccdcoe.org]
Sent: Monday, November 04, 2013 12:16 PM
Subject: Information Security Audit


Dear Sir,

I am writing to inform you that NATO Cooperative Cyber Defence Centre of Excellence
conducted an information security audit of the network infrastructureof your organization. It
was carried out as part of exercise Steadfast Jazz 2013.

Our specialists have obtained access to theprivate network and the administration panel of the
website of your organization.

The level of information security of your organization does not meet the requirements of
NATO cyber security guidelines.

It is strongly recommended that you pay attention to this fact.

For more information you should contact NATO Cooperative Cyber Defence Centre of
Excellence.


Sincerely,

Col. Artur Suzik
Director,NATO Cooperative Cyber Defence Centre of Excellence


E-mail: ccdcoe@ccdcoe.org
Phone: +3727176800
Fax: +3727176308
Adress: Filtri tee 12, Tallinn 10132, Estonia

The email was sent to a target in Estonia, and the CCDCOE is a genuine NATO facility, also located in Estonia. The domain, telephone and fax number all appear genuine, and there are no attachments to the email nor are there any links.

However, the email is not genuine as it comes from 213.157.216.139 which is a Caucasus Online LLC ASDL subscriber in Georgia. Caucasus Online IPs are often seen in conjunction with botnets, so this is almost definitely a botnet node. The CCDCOE logo used in the email is also out of date.

A close examination of the mail headers shows that some of them have been faked in order to spoof an originating IP of 217.146.66.99 in Estonia.

Received: from dvb35.srv.it.ge (HELO dvb35.srv.it.ge) (213.157.216.139)
  by [redacted] with SMTP; 4 Nov 2013 10:15:35 -0000
Received: mx1.zone.ee (HELO ccdcoe.org) ([217.146.66.99])  by
 dvb35.srv.it.geL with ESMTP; Mon, 4 Nov 2013 12:01:08 +0200

Received: by ccdcoe.org (Postfix, from userid 309) id fu73vb6de6220; Mon, 4 Nov
 2013 12:00:45 +0200
Received: from 10.1.1.218 (10.1.1.218:35781)    by ccdcoe.org (Postfix) with SMTP
 id gkuuqe31b7s45.9.2013.11.04.59.56;    Mon, 4 Nov 2013 11:59:06 +0200
Message-ID: <20130e3f74d2.4353bd02@user>
From: "CCDCOE" <ccdcoe@ccdcoe.org>
To: [redacted]
Subject: Information Security Audit
Organization: CCDCOE


I can't figure out the purpose of this message, but it is almost definitely malicious. Perhaps there is a second part to this why has not been seen yet?