Sponsored by..

Thursday, 7 August 2014

CDS Group (cdsgroup.co.uk) fake invoice spam

This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted.

It is trivially easy to fake who an email is "From". That is what is happening in this case. CDS are an innocent victim of whoever is perpetrating this spam run. Please do not take your frustrations out on CDS. CDS have a notice about these emails on their site.

This is a sample email:

Date:      Thu, 07 Aug 2014 10:41:48 +0100 [05:41:48 EDT]
From:      Nancy Tyler CDS Group [accounts@cdsgroup.co.uk]
Subject:      CDS Invoice: 241-28195

CDS Group


Dear client,

Please find attached your invoice number 241-28195

If you have any queries with this invoice, please email us at accounts@cdsgroup.co.uk or call us on 020 8752 8040



The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International



Tel: 020 8752 8040
Email: accounts@cdsgroup.co.uk



Please consider the environment before printing this email.

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.

If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. This e-mail or any attachments are for information purpose only and does not form any part of an agreement, contract or fact.

The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. Whilst The CDS Group has taken every reasonable precaution to minimise the risk, we do not accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment to this e-mail.

This email has been scanned by iomartcloud.
http://www.iomartcloud.com

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54.

Automated analysis tools are inconclusive at the moment [1] [2] but I will add more details if I find them.

Wednesday, 6 August 2014

Companies House "Case 4620571" spam

This fake Companies House spam has a malicious attachment:

Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      RE: Case 4620571

The submission number is: 4620571

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 
Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53. Automated analysis tools [1] [2] show that the malware reaches out to the following locations which are good candidates for blocking:

64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com

.us and .me scumbag spammers are now .mobi scumbag spammers

That didn't take long these scumbag spammers I've been tracking over the past couple of days have a new set of mail servers and domains for pumping out their useless affiliate crap.

Sending IPs:
69.39.238.200
69.39.238.201
69.39.238.202
69.39.238.203
69.39.238.204

These IPs belong to GigeNET in the US.

Spamvertised domains:
getitnow.find-cars-here-4u.mobi
trynow.safty-first-walkin-tubs.mobi
startnow.get-medicare-for-less4u.mobi
lower-your-payments-wHARP.mobi
safe.cure-most-diseases01.mobi

Sample emails:
From:     Best_AutoPrice [carsalesevent101@find-cars-here-4u.mobi]
Date:     6 August 2014 15:27
Subject:     Hi, Summer Price Reduction on All New Vehicles. Notice: 14359709

Local Auto Notice:  14359709
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://getitnow.find-cars-here-4u.mobi


Modify_your notification_preferences: http://stop.find-cars-here-4u.mobi
PO Box No. 6498
PELAYO_ 80
-28004--MADRID--MADRID

=========================================

From:     Walk.In.Bathtub.2855074 [bathtub.safety@safty-first-walkin-tubs.mobi]
Date:     6 August 2014 15:34
Subject:     Hi, Learn about the Versatility of a Walk in Bathtub Message: 21036031

Enjoy Safe, Comfortable-Bathing in your Home
---------------------------------------------------------
[redacted],

Whether you are looking for a Walk-in Tub for Safety or Therapeutic reasons for yourself or a loved-one, we can help.

We can help you find Professional, Affordable Service Contractors near you.

Find a safe and comfortable walk-in tub online Today:
http://trynow.safty-first-walkin-tubs.mobi


Message: 21036031


Modify_your advertising_preference  here; http://leave.safty-first-walkin-tubs.mobi
QuinStreet, Inc. 950 Tower Lane_ Foster City, CA 94404

=========================================

From:     enrollment-period.9138765 [future.enrollment.451@get-medicare-for-less4u.mobi]
Date:     6 August 2014 15:40
Subject:     Hi, Medicare Enrollment Begins Soon. Notice #24458838

Notice: 24458838
**********************************************************
Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins
October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan
during this Annual Election Period.

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.

Find the Best Plan & Save up to 40% Online: http://startnow.get-medicare-for-less4u.mobi


Opt-off this_request: http://exit.get-medicare-for-less4u.mobi
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box_ No. 309

===============================================

From:     HARP-Qualify.4642746 [Andrea.Casey1254@lower-your-payments-wharp.mobi]
Date:     6 August 2014 15:46
Subject:     Re: HARP Program: Lower Rates May Be Available Rpt: 13849540

[redacted],

Are your home payments weighing you down?

This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.

Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.


Get competitive rates quotes from Top Lenders and Save --
http://save.lower-your-payments-wHARP.mobi


Andrea Casey
Harp Eligibility Team

Report: 13849540


If you would like to update settings please go here: http://halt.lower-your-payments-wHARP.mobi
8776 [East-Shea_Blvd. #B3A-462_Scottsdale, AZ 85260]

===============================================

From:     Ultimate_Cure.5798463 [your.miracle.cure@cure-most-diseases01.mobi]
Date:     6 August 2014 15:54
Subject:     Re: Doctor Jailed for CURING Cancer (see why), Article No. 5615302


Today, you have a 95% chance of eventually dying from a disease or condition for which there is already a known cure right at your fingertips.

Well-respected doctors have been attacked, threatened with losing their licenses and even JAILED for sharing the information you are about to discover...

If you or a your loved one is suffering from ANY, and we mean ANY illness, chronic or acute, especially if you've been told it is incurable, then this is the most important message you will hear today.


View This SHOCKING Health Alert in your Browser: http://safe.cure-most-diseases01.mobi
(they don't want you to know about this)


Article No. 5615302


Modify_your_preferences here- http://hold.cure-most-diseases01.mobi
PO Box: #678
Calle Arturo Rodriguez- 17--23410 Sabiote
Ja??n, Spain
Sample click paths:

http://getitnow.find-cars-here-4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=ggn806
http://www.auto-price-finder.com/welcome?id=544&subid=273748921&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&c1=&rh=www.auto-price-finder.com&id=544&landing=nonbrand&li=3&alt_exp=new&alt_ab=&rd=1

http://trynow.safty-first-walkin-tubs.mobi/
http://navytrkn.com/?a=125&c=9258&s1=ggn806
http://genetix420.com/?a=125&c=9258&s1=ggn806&ckmguid=e37b2ccf-28b9-4fc1-922d-72ccfbee9e55
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://startnow.get-medicare-for-less4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=ggn806
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273750538&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://save.lower-your-payments-wharp.mobi/
http://navytrkn.com/?a=125&c=9244&s1=ggn806
http://ckthinmints.com/?a=125&c=9244&s1=ggn806&ckmguid=89d0208b-baec-4765-b88f-de84125ebff6
http://www.267555domain.com/click.ashx?CID=182639&AFID=267555&ADID=625699&SID=125
http://EVERYDAYOFFERSJUSTFORME.COM/go/c/537/4vars?sid=
http://njk0.HI5LINKS.com/?&s1=535_1750_GB_
http://zCRzz.download.awardhall.eu/?sov=63762401&hid=gkisukqomsiwykig&redid=7312&id=XNSX.535_1750_GB_-r7312

http://safe.cure-most-diseases01.mobi/
http://navytrkn.com/?a=125&c=10590&s1=ggn806
http://genetix420.com/?a=125&c=10590&s1=ggn806&ckmguid=27f625a1-56a4-46fa-8c81-2cace4c7473d
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389

WHOIS details for the domains are fake:

Registrant ID:bdb01b76634ea4b7
Registrant Name:Kiera Gladdish
Registrant Street1:2123 Edison Rd
Registrant City:South Bend
Registrant State/Province:IN
Registrant Postal Code:46637
Registrant Country:US
Registrant Phone:+1.5742720312
Registrant Email:kieragladdishr946@yahoo.com


.us scumbag spammers are now .me scumbag spammers

This active scumbag spamming crew [1] [2] [3] have switched to .me domains instead of .us domains. Maybe they got too much heat.. anyway, here they are with a new set of mail servers and domains but a similar pile of affiliate networks as before.

Sending IPs:
79.142.65.6
79.142.65.7
79.142.65.8
79.142.65.10
79.142.65.12
79.142.65.15

All these IPs are on ALTUSHOST B.V. in the Netherlands.

Spamvertised domains:
getitnow.affordable-auto-ins10.me
orderhere.food-storage-freshness10.me
signup.lower-personal-credit10.me
starttoday.life-coverage-for-you10.me
actnow.reduce-mortgage-cost10.me
check.unwanted-timeshares-sold.me

Sample emails:

From:     Lower-Auto-Coverage.11013628 [Auto-Insurance-Discount@affordable-auto-ins10.me]
Date:     6 August 2014 14:28
Subject:     Re: Notice: Hey, Pay as little as $9/week on car insurance

Announcement:  You may be Required to carry Auto Insurance
-------------------------------------------------------------------------------------

[redacted],

You are NOT Required to Over-Pay!

Premiums as low as $9

Compare quotes from Top Carriers and see how much you can SAVE.

 Find Me Auto Insurance as low as $9/week:  http://getitnow.affordable-auto-ins10.me

Notice No: 11013628


Modify_announcement_preferences here:  http://disallow.affordable-auto-ins10.me???
Cheaper Auto Coverage-PO Box 425768 Cambridge MA02142-9998

========================================

From:     ASOTV_MrLid.20092754 [organized.mr.lid@food-storage-freshness10.me]
Date:     6 August 2014 14:15
Subject:     Hi, The only food storage container of its kind ID: 23965159


Are you loosing your Mind? Loosing your Lids.



========================================

From:     Go-Triple_Score.22560108 [score.report.476@lower-personal-credit10.me]
Date:     6 August 2014 14:08
Subject:     Fwd: Has Your Score Recently Changed? Update: 6055819

RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date:  August 2014 Score Update
----------------------------------------------------.
Update # 13518498
----------------------------------------------------.

Dear [redacted],

The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.


Go here now to find out how your score was affected by these updates: http://signup.lower-personal-credit10.me

Your Score Generation Time: 47 Seconds


Regards,
Marcie D.
2014 Score Defender

Cancel_this email_notification: http://disallow.lower-personal-credit10.me
Suite 4753-24B  Moorefield Rd  Johnsonville--Wellington 6037 New Zealand

========================================

From:     AIG_Direct Inc.9292124 [aig.direct.2014@life-coverage-for-you10.me]
Date:     6 August 2014 14:01
Subject:     Re: Your $250K Term Life for Just $10.63 a month. Ref. No. 14329170


Call or Visit Today for $250K Term Life Under $11/mo


========================================


From:     Home_Savings Info.2550922 [lower.home.payment@reduce-mortgage-cost10.me]
Date:     6 August 2014 14:41
Subject:     Re: Homeowners Could be Missing out on Thousands in Savings

Notice for Homeowner:  [redacted]

President Has Waived Refi-Requirement

Homeowners who do this will save about 3,000 USD/year. The problem is 70% of homeowners don't even know how to take advantage of the savings. If you're a homeowner and you don't know, you have to read this. . .

Calculate My Lower House Payment:  http://actnow.reduce-mortgage-cost10.me

(To view this message in your browser, use the link above.)


Notice: 11105679

This is an advertisement. All trademarks, service marks, logos and/or domain names (including the names of products or retailers) are the property of their respective owners. The manufacturers, retailers or providers of the items offered may not have endorsed, approved of or otherwise sponsored this promotion. Restrictions apply. Void where prohibited by law. To manage your notification preferences, please visit here:  http://end.reduce-mortgage-cost10.me
Richardshaw Lane, Hanson Centre, GR
Leeds, LS28 6QP

==========================================

From:     Timeshare_Brokers.17819636 [linda.kesler93@unwanted-timeshares-sold.me]
Date:     6 August 2014 15:04
Subject:     Re: Timeshare Owners- Don't pay another Maintenance Fee. Bulletin: 14642854

TIMESHARE BULLETIN:  Timeshare Sales are heating up this Summer

July 2014

[redacted],

You may be eligible to sell your unwanted timeshare.

Eliminate monthly maintenance fees on a timeshare you no longer use.

Timeshare sales are on the rise in 2014;
non-US residents buying timeshares.

Don't miss the chance to dispose of your unwanted timeshare.

Let us Sell Your Timeshare Now:
http://check.unwanted-timeshares-sold.me

Thank you,
Emily D.
Time-share Advisor
No. 17819636

Click paths:

http://getitnow.affordable-auto-ins10.me/
http://navytrkn.com/?a=125&c=9558&s1=alt806
http://genetix420.com/?a=125&c=9558&s1=alt806&ckmguid=3d4d97bb-f163-4c45-bedc-61d9169c3170
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389

http://orderhere.food-storage-freshness10.me/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=alt806
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273736842&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834

http://signup.lower-personal-credit10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=alt806

http://starttoday.life-coverage-for-you10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQa5hjpIKdimOYmmKifZWJkHKbZZ57w5Fqb5llnQ?dp=alt806

http://actnow.reduce-mortgage-cost10.me/
http://www.soccertruck.com/rd/r.php?sid=4841&pub=331259&c1=alt806
http://affiliate.adgtracker.com/rd/r.php?sid=4841&pub=331259&c1=alt806
https://www.lowermybills.com/lending/home-refinance/?pkey1=331259&pkey2=273738878&sourceid=lmb-30537-53464-85353

http://check.unwanted-timeshares-sold.me/
http://trkerlittle.com/?a=9406&c=46451&s1=alt806
http://aboveallurl.com/?a=9406&c=46451&s1=alt806&ckmguid=4a81a1ee-41aa-4e37-9a42-da436ff2dcba
http://aboveall.garcinia.cpa.clicksure.com/?s1=GLOBAL-9406
http://clicksurecpa.com/recookie/Fep4b8L5ECHFQnqk

The WHOIS details on the domains are fake:

Registrant ID:3537f036cb04904e
Registrant Name:Rose Cotterill
Registrant Organization:n/a
Registrant Address:5300 Gateway Ctr
Registrant Address2:
Registrant Address3:
Registrant City:Troy
Registrant State/Province:MI
Registrant Country/Economy:US
Registrant Postal Code:48507
Registrant Phone:+1.8102321772
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:rosecotterillv296@yahoo.com


Tuesday, 5 August 2014

.us scumbag spammers, part 3

These are the same scumbags as found here and here.They are burning through hosting accounts at a fearsome rate. The latest two IPs are in the Worldstream address space:

217.23.14.153
217.23.14.13

Spamvertised domains:

reservenow.enroll-in-medicare-14.us
startnow.protect-your-surface01.us

Sample emails:

From:     enrollment_period.12352763
Date:     5 August 2014 17:32
Subject:     Hey, Medicare Enrollment Begins Soon. Notice #11262474

Notice:  Medicare Open Enrollment Starts Soon
**********************************************************

Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan during this Annual Election Period.  .

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.  Find the Best Plan & Save up to 40% Online: http://reservenow.enroll-in-medicare-14.us

Notice: 11262474


======================================

From:     Protective.Coating.3879421
Date:     5 August 2014 17:14
Subject:     Re: Garage Floor Coatings before Winter Rain and Snow


-------- Start Notice #3879421 --------------

Surface Protect Plus Summer Savings

Attn: snowshoe2@dynamoo.com

Don't let rain and the coming snow ruin your deck and garage.

Summer is the time to protect your garage and wood floors.

Amazing deal for homeowners looking to preserve their deck and garage surfaces.

Go Here Now to Protect Your Floors for Years and Years: http://startnow.protect-your-surface01.us


--------------- End Notice ----------------

Manage_your_preferences: http://end.protect-your-surface01.us

PO Box: #19258
Falterstrasse., 12 97318--Kitzingen., Germany.
Click paths:

http://reservenow.enroll-in-medicare-14.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=exm805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273621705&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://startnow.protect-your-surface01.us/
http://silvertrkn.com/?a=125&c=2907&s1=nf805
http://genetix420.com/?a=125&c=2907&s1=nf805&ckmguid=a8d5f09a-ceb2-47ec-9ba7-c4e42fd7afaa
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

Some of these affiliate networks and sites have no contact details at all, all the other ones have been notified of the problem.

Recommended blocklist (for this spam run and the one earlier today):
217.23.14.153
217.23.14.13
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
77.93.204.105
enroll-in-medicare-14.us
protect-your-surface01.us
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
silvertrkn.com
genetix420.com
enzjptkr.com
navytrkn.com
autoaffiliatenetwork.com

.us scumbag spammers strike again

This low-life scumbag spammers are the same people I wrote about here and are playing around in the scummy end of the affiliate marketing business.

The spamvertised domains are:

readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us


All of these are registered with fake WHOIS details:

Registrant ID:                               28B5829EB467EADA
Registrant Name:                             Colleen Fenn
Registrant Organization:                     na
Registrant Address1:                         2555 W Lawrence Ave
Registrant City:                             Chicago
Registrant State/Province:                   IL
Registrant Postal Code:                      60625
Registrant Country:                          United States
Registrant Country Code:                     US
Registrant Phone Number:                     +1.7739070654
Registrant Email:                            colleenfennf342@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C11


Originating IPs for email are:

109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24

All of these IPs are in the same 109.201.128.0/19 block allocated to:

organisation:   ORG-NE3-RIPE
org-name:       NForce Entertainment B.V.
org-type:       LIR
address:        NFOrce Entertainment BV
address:        Postbus 1142
address:        4700BC
address:        Roosendaal
address:        NETHERLANDS
phone:          +31206919299
fax-no:         +31206919409
abuse-mailbox:  abuse@nforce.com
admin-c:        PT3315-RIPE
admin-c:        JH24522-RIPE
admin-c:        NFAR
tech-c:         NFTR
mnt-ref:        MNT-NFORCE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        MNT-NFORCE
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        NFAB
source:         RIPE # Filtered


You might want to block the /24s or even the whole /19 belonging to these people. Up to you.

UPDATE:  a second wave of spam has started from 77.93.204.105 in the Czech Republic:

organisation:   ORG-EA808-RIPE
org-name:       Exmasters.com
org-type:       OTHER
address:        Exmasters.com
address:        Milos Kalerta
address:        Fricova 1102,26301 Dobris,Czech Republic
phone:          +420 603 114414
abuse-mailbox:  abuse@exmasters.com
mnt-ref:        MASTER-MNT
mnt-ref:        MASTER-MNT
mnt-by:         MASTER-MNT
admin-c:        EC6938-RIPE
tech-c:         EC6938-RIPE
abuse-c:        EC6938-RIPE
source:         RIPE # Filtered


The spamvertised sites themselves are parked on 98.124.199.1 and  98.124.198.1 (eNom). There are several hundred thousand sites parked on these servers, blocking those IPs might have unexpected consequences.

The spam emails generated do not identify the true sender, and given that the email list they are using was originally generated from a forced UNSUBSCRIBE link then I would bet that trying to unsubscribe will just lead to more spam.

Here are some examples:

From:     Background_Archives [records.archive@readcriminalsearch.us]
Date:     5 August 2014 14:22
Subject:     Hi, Your background check is available online. Notice: 1718629

Date:  05-August-2014
-----------------------------
Notice No. 1718629
-----------------------------
Attention:  [redacted]

Past criminal records are now online because of new privacy laws.

Find out if your records are available online:
http://find.readcriminalsearch.us


0pt-off this request_ http://halt.readcriminalsearch.us
Av. Conselheiro Aguiar, 312 _ Pina
Recife _ PE
51011--031, Brazil
PO box: _0913


==================================================

From:     Best-AutoPrice [car.liquidation.event@pluscarsearch.us]
Date:     5 August 2014 14:12
Subject:     Hey, Summer Price Reduction on All New Vehicles. Notice: 5370643


Local Auto Notice:  5370643
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://limited.pluscarsearch.us


Modify_your notification_preferences: http://end.pluscarsearch.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID

==================================================

From:     Go_Triple_Score.22692335 [score.report.476@bumpcredit.us]
Date:     5 August 2014 14:04
Subject:     Re: Has Your Score Recently Changed? Update: 24174301

RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date:  August 2014 Score Update
----------------------------------------------------.
Update # 24174301
----------------------------------------------------.

Dear [redacted],

The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.


Go here now to find out how your score was affected by these updates: http://trynow.bumpcredit.us

Your Score Generation Time: 47 Seconds

Regards,
Marcie D.
2014 Score Defender

Cancel_this email_notification: http://stop.bumpcredit.us
Suite 4753-24B  Moorefield Rd  Johnsonville _Wellington 6037 New Zealand

==================================================

From:     HARP_Qualify.24513021 [Andrea.Casey@expectlowmortgage.us]
Date:     5 August 2014 14:51
Subject:     Fwd: HARP Program: Lower Rates May Be Available Rpt: 14579829


[redacted],

Are your home payments weighing you down?

This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.

Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.


Get competitive rates quotes from Top Lenders and Save --
http://joinnow.expectlowmortgage.us


Andrea Casey
Harp Eligibility Team

Report: 14579829

Control your_advertising status_here --- http://end.expectlowmortgage.us
or mail to:
Suite 4753-24B Moorefield Rd_Johnsonville Wellington_6037 New Zealand

==================================================

From:     enrollment_period.7469835 [future.enrollment.451@citizensmedicare.us]
Date:     5 August 2014 14:42
Subject:     Hey, Medicare Enrollment Begins Soon. Notice #17904389

Notice:  Medicare Open Enrollment Starts Soon
**********************************************************

Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan during this Annual Election Period.  .

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.  Find the Best Plan & Save up to 40% Online: http://reservenow.citizensmedicare.us

Notice: 17904389


Opt-off this request: http://leave.citizensmedicare.us
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box, No. 309

==================================================


From:     ASOTV-MrLid.11390255 [organized.mr.lid@closedfoodstorage.us]
Date:     5 August 2014 15:06
Subject:     Hey, The only food storage container of its kind ID: 16462768


==================================================
From:     Best-AutoPrice [car.liquidation.event@car-truck-searches01.us]
Date:     5 August 2014 15:42
Subject:     Hey, Summer Price Reduction on All New Vehicles. Notice: 21892282

Local Auto Notice:  21892282
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://start.car-truck-searches01.us

Modify_your notification_preferences: http://stop.car-truck-searches01.us
PO Box No. 6498
PELAYO_ 80
-28004--MADRID_MADRID
When you follow the clickthroughs you can see the the victim is being bounced around what in my opinion look like several very low quality ad networks.

http://find.readcriminalsearch.us/
http://navytrkn.com/?a=125&c=9034&s1=nf805
http://genetix420.com/?a=125&c=9034&s1=nf805&ckmguid=7aba1f24-2e05-4757-a6cf-f288466d0695
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://limited.pluscarsearch.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=nf805
http://www.auto-price-finder.com/welcome?id=544&subid=273567460&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

http://trynow.bumpcredit.us/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=nf805

http://joinnow.expectlowmortgage.us/
http://silvertrkn.com/?a=125&c=7570&s1=nf805
http://genetix420.com/?a=125&c=7570&s1=nf805&ckmguid=c7633716-4790-4104-ac97-5360ffa8f1c1
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://reservenow.citizensmedicare.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=nf805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273569127&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://requestnow.closedfoodstorage.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=nf805
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273569713&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834

http://start.car-truck-searches01.us/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=exm80
http://www.auto-price-finder.com/welcome?id=544&subid=273575551&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&landing=nonbrand&amp=&c1=&rh=www.auto-price-finder.com&id=544&li=3&alt_exp=new&alt_ab=&rd=1
http://www.auto-price-finder.com/new/car_non_branded?c1=&land=y

I'm not accusing the affiliate networks involved of soliciting sales through spam, but these are a lit of all the domains in use in case you want to do something with them:

affiliate.adgtracker.com
affiliate.gwmtracker.com
comperz.com
find.readcriminalsearch.us
genetix420.com
joinnow.expectlowmortgage.us
limited.pluscarsearch.us
navytrkn.com
network.adsmarket.com
pixel.autoaffiliatenetwork.com
requestnow.closedfoodstorage.us
reservenow.citizensmedicare.us
silvertrkn.com
start.car-truck-searches01.us
trynow.bumpcredit.us
valuedealshopper.com
www.auto-price-finder.com
www.enzjptkr.com
www.medicare-providers.net
www.vacationrome.net


"Invoice 20146308660 June 2014 - July 2014" spam

This summary is not available. Please click here to view the post.

Monday, 4 August 2014

Bank of America "Important Documents" spam leads to Cryptowall

This fake BofA spam has a malicious payload:

Date:      Mon, 4 Aug 2014 19:57:07 +0800 [07:57:07 EDT]
From:      Andrea Talbot [Andrea.Talbot@bofa.com]
Subject:      RE: Important Documents

Please check attached documents regarding your Bofa account.

Andrea Talbot
Bank Of America
817-298-4679 office
817-180-2340 cell Andrea.Talbot@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are
confidential and are intended solely for the use of the person or entity to whom the
message was addressed. If you are not the intended recipient of this message, please be
advised that any dissemination, distribution, or use of the contents of this message is
strictly prohibited. If you received this message in error, please notify the sender.
Please also permanently delete all copies of the original message and any attached 
Attached to the message is an archive AccountDocuments.zip which in turn contains the malicious executable AccountDocuments.scr which has a VirusTotal detection rate of 6/54 and the comments indicate that this is a variant of Cryptowall. The Comodo CAMAS report shows that it phones home to the following URLs:

94.23.247.202/0408cnet28/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408cnet28/SANDBOXB/1/0/0/
dirbeen.com/khalid53/cnet28.zip
ibuildchoppers.com/wp-content/gallery/choppers/cnet28.zip

Recommended blocklist:
94.23.247.202
dirbeen.com
ibuildchoppers.com

"Invoice 2014080420" spam

This spam has a malicious attachment:
Date:      Mon, 04 Aug 2014 20:29:43 +0900 [07:29:43 EDT]
From:      Accounts Dept [tolvan.rover@btinternet.com]
Subject:      Invoice 2014080420 dynamoo

This email contains an invoice file for June 2014 - July 2014. Please pay invoice in full in 3 business days and reply to us.

There is an attachment INV_2014080420.zip containing a folder invoice_june2014-july2014.xls which in turn contains a malicious executable invoice_june2014-july2014.xls.scr which has a VirusTotal detection rate of 6/52. Automated analysis tools are inconclusive [1] [2] about what it does.

UPDATE
The first part downloads a copy of Cridex from 23.92.84.52:8080/ord/1.exe which currently has a VT detection rate of 9/54. Blocking 23.92.84.52 may offer some protection.

"Important - BT Digital File" spam

This fake BT spam has a malicious attachment:

Date:      Mon, 4 Aug 2014 08:48:51 -0430 [09:18:51 EDT]
From:      Marci Tobin
Subject:      Important - BT Digital File


BT Digital Vault     BT

Dear Customer,

This email contains your BT Digital File. Please scan attached file and reply to this email.

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 7221* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000
The attachment is BT_Digital_Vault_File.zip which contains a malicious executable BT_Digital_Vault_File.exe which has a VirusTotal detection rate of 5/54. According to the Comodo CAMAS report the malware reaches out to the following URLs:

94.23.247.202/0408choUK2/SANDBOXB/0/51-SP2/0/
94.23.247.202/0408choUK2/SANDBOXB/1/0/0/
94.23.247.202/0408heap/SANDBOXB/1/0/0/
94.23.247.202/0408preb04/SANDBOXB/1/0/0/
amhzconsultancy.com/wordpress/48u2.zip
sintesismark.com/images/48u2.zip
bianconeandwilinsky.com/wp-content/uploads/2013/02/h8i3.zip
osteoarthritisblog.com/wp-content/uploads/2010/02/h8i3.zip
hopeisnull.comuf.com/wp-content/uploads/2014/03/pre.zip
grenzland-classic.de/css/pre.zip

Recommended blocklist:
94.23.247.202
amhzconsultancy.com
sintesismark.com
bianconeandwilinsky.com
osteoarthritisblog.com
hopeisnull.comuf.com
grenzland-classic.de


UPDATE: the following spam also has the same payload..

Date:      Mon, 4 Aug 2014 11:41:18 +0000 [07:41:18 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      Incident 7132163 - Companies House

The submission number is: 7132163

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 

"Sup" snowshoe spam from 208.71.174.32/27

Here's a strange spam I've been tracking for a couple of days:

Date:      Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From:      Olive [olive@platesat.us]
Subject:      Sup

The HTML in the body text reads:
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<img src="http://www.gonename.us/unsubscribe.php?email=[redacted]">
</body>
</html>
The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? No exactly.

A look at the root directory of www.gonename.us (143.95.38.234 = petyrbaelish.asmallorange.com) shows the inner workings of the spam:

The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make everyone unsubscribe.

Finnell's Corollary to the Rules of Spam states that spammers define "remove" as "validate  which is exactly what is happening here.. when someone opens the email (if their email displays images) then it automatically confirms that they have opened it. A crude but effective way of confirming that the email address is valid.

At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone.

****@test.com
********@freeuk.com
******@herregodts.com
******@mt.net.mk
*****@sabbangroup.com
************@solways.com.au
****@fundesigner.info
*********@lycos.co.kr
******@henryhunt.co.uk
*************@killingjoke.fr
*****@rlcfl.org
**********@sg-creation.com
**@rafting-experience.com
****@virtualinfosys.us
*********@heinemann-it.com
*****@intfalconer.net
****@intfalconer.net
***@de-laxdesigndomestic.com
***@hs-furtwangen.de
*********@ben-plastic.com
***********@rapidrepairs.biz
******@naver.com
****@ajuda.org.uk
****@hostcolor.com
*****@kiteworks.co.uk
********@rocketcreative.co.uk
*******@mw-telecom.com
****@hjtherapy.co.uk
******@viralbamboo.com
No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes.

All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be fake.

This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www.morehex.us which was configured in the same way. All those sites have now been suspended. Email subjects in that case were:
What's up?
Hey Sister
G'day


Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated.

I've seen the following domains and IPs in the spam I have received myself, no doubt there are other domains and IPs too.


IP Domain Type Contact Contact email
5.254.115.198 autofinder-low.us Email Laurs Finch laursfinchk995@yahoo.com
174.140.162.115 indeed-removefats.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.116 top-auto-locator.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.119 improvekitchen-cabinet-repair.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.120 tried-protectivecoats.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.123 active-timeshares-sells.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.124 proposed-lifeinsurance.com Email Lynne Dargle lynnedargle786@yahoo.com
174.140.162.125 low-mortgage-quotes-own.com Email Lynne Dargle lynnedargle786@yahoo.com
174.140.162.126 immediately-findwindows.com Email Lynne Dargle lynnedargle786@yahoo.com
188.165.94.189 belly-fats-reducerhuge.com  Email Oli Brooker olibrooker732@yahoo.com
208.71.174.35 liegewalk.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.36 scrapehold.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.37 teasesat.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.38 cutecrane.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.39 milkfame.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.40 faintwalk.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.41 moussehold.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.42 platesat.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.43 awaycrane.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.44 flapfame.us Email Chere Danes cheredanes736@yahoo.com
143.95.38.234 gonename.us Web Kristie Fisher kristiefisher103@yahoo.com
143.95.32.129 morehex.us Web Helena Hodgson helenahodgson177@yahoo.com

Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details:

dormsuper.com
szqe36.dormsuper.com
liegewalk.us
quality-reducer-bodyfats.us
scrapehold.us
its-find-autofinder.us
teasesat.us
better-bathtubs-deals.us
cutecrane.us
trust-profilescheck.us
milkfame.us
on-kitchen-cabinet-repair.us
faintwalk.us
myinstant-files-review.us
moussehold.us
oil-changecoupons-detail.us
platesat.us
hair-regrow-completed.us
awaycrane.us
learned-sells-timeshare.us
flapfame.us
easy-directview-package.us
boatscast.com
rpcu46.boatscast.com
submit.boatscast.com

Recommended blocklist:
208.71.174.32/27
gonename.us





Saturday, 2 August 2014

Warning: ipma2014.org (Institute of Project Management America)

Just a quick note to say that if you see an email referring to the site ipma2014.org then this is a new domain for the so-called Institute of Project Management America. Beware.

It is NOT related to the 28th IPMA World Congress which uses the domain ipma2014.com or any other legitimate professional organisation. You can read my research on the activities of the people behind this outfit here.

Friday, 1 August 2014

"Corporate eFax message from "unknown" - 3 page(s)" spam

This somewhat mangled spam has a malicious attachment:

Date:      Fri, 1 Aug 2014 09:45:45 -0700 [12:45:45 EDT]
From:      eFax Corporate [message@inbound.efax.com]
Subject:      Corporate eFax message from "unknown" - 3 page(s)

You have received a 3 page fax             at 2014-08-01 10:55:05. * The
reference number for this fax is p2_did1-4724072401-8195088665-159.       Thank you for
using the eFax Corporate service!        2014 j2 Global, Inc. All rights reserved. eFax
Corporate is a registered trademark of j2 Global, Inc. This account is subject to the
terms listed in the         eFax Corporate Customer Agreement.  

Attached is an archive file Fax_912_391233111_941.zip which in turn contains a malicious executable Fax_912_391233111_941.scr which has a VirusTotal detection rate of 10/54.

The Comodo CAMAS report shows the malware reaching out to the following locations:

94.23.247.202/0108us1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108us1/SANDBOXA/1/0/0/
theyungdrungbon.com/wp-includes/images/0108us1.zip
101romanticcheapdates.com/wp-includes/images/0108us1.zip

Recommended blocklist:
94.23.247.202
theyungdrungbon.com
101romanticcheapdates.com

"Payroll Received by Intuit" spam / Cryptowall

I haven't seen any fake Intuit spam for a while. This one comes with a malicious attachment:

Date:      Fri, 1 Aug 2014 07:59:12 -0600 [09:59:12 EDT]
From:      Intuit Payroll Services [IntuitPayrollServices@payrollservices.intuit.com]
Subject:      Payroll Received by Intuit

Dear, [redacted]
We received your payroll on August 01, 2014 at 09:01 AM EST.

Attached is a copy of your Remittance. Please click on the attachment in order to view it.

Please note the deadlines and status instructions below: If your payroll is received
BEFORE 5 p.m., your Direct Deposit employees will be paid two (2) banking days from the
date received or on your paycheck date, whichever is later.  If your payroll is received
AFTER 5 p.m., your employees will be paid three (3) banking days from the date received
or on your paycheck date, whichever is later.  YOUR BANK ACCOUNT WILL BE DEBITED THE DAY
BEFORE YOUR CHECKDATE. Funds are typically withdrawn before normal banking hours so
please make sure you have sufficient funds available by 12 a.m. on the date funds are to
be withdrawn. Intuit must receive your payroll by 5 p.m., two banking days before your
paycheck date or your employees will not be paid on time.  Intuit does not process
payrolls on weekends or federal banking holidays. A list of federal banking holidays can
be viewed at the Federal Reserve website. Thank you for your business.

Sincerely, Intuit Payroll Services



IMPORTANT NOTICE: This notification is being sent to inform you of a critical matter
concerning your current service, software, or billing. Please note that if you previously
opted out of receiving marketing materials from Intuit, you may continue to receive
notifications similar to this communication that affect your service or software. If you
have any questions or comments about this email, please DO NOT REPLY to this email. If
you need additional information please contact us.

If you receive an email message that appears to come from Intuit but that you suspect is
a phishing email, please forward it to immediately to spoof@intuit.com. © 2014 Intuit
Inc. All rights reserved. Intuit and the Intuit Logo are registered trademarks and/or
registered service marks of Intuit Inc. in the United States and other countries. All
other marks are the property of their respective owners, should be treated as such, and
may be registered in various jurisdictions.

Intuit Inc. Customer Communications
2800 E. Commerce Center Place, Tucson, AZ 85706
The attachment in this case is called Remittance.zip and it contains a malicious executable Remittance.exe which has a VirusTotal detection rate of 9/53.

According to the evidence of this very detailed ThreatTrack report [pdf], this is a version of Cryptowall. It makes network connections to various sites including the now-familiar 94.23.247.202.

I recommend that you block the following domains and IPs:
94.23.247.202
theothersmag.com
poroshenkogitler.com
kpai7ycr7jxqkilp.onion2web.com


New York City Police "Homicide Suspect" spam using goo.gl shortener to spread malware

The bad guys are enjoying the goo.gl URL shortening service at the moment (remember, you can report goo.gl spam to goo.gl/spam-report). This spam is slightly unusual..

From:     ALERT@nyc.gov [ALERT@static-23-106-230-77.ipcom.comunitel.net]
Date:     1 August 2014 10:43
Subject:     Homicide Suspect

Bulletin Headline: HOMICIDE SUSPECT
Sending Agency: New York City Police
Sending Location: NY - New York - New York City Police
Bulletin Case#: 14-10078
Bulletin Author: BARILLAS #9075
Sending User #: 94265
APBnet Version: 287320

The bulletin is a pdf file. To download please follow the link below (Google Disk Drive service):

https://goo.gl/RwNKEA


The Adobe Reader (from Adobe.com) will display and print the bulletin best.

You can Not reply to the bulletin by clicking on the Reply button in your email software.
The link in the email is goo.gl/RwNKEA which goes to unionlawgroup.com/wp-content/images/Documents-43632.zip which is exactly the same payload as used in this spam.

Adding a "+" to the end of the URL reveals the click statistics



Blocking unionlawgroup.com is probably a good idea.

NatWest "You have a new Secure Message" spam uses goo.gl links to spread malware

This fake NatWest bank message uses the Goo.gl URL shortener to spread malware:
From:     NatWest [secure.message@natwest.com]
Date:     24 July 2014 10:39
Subject:     You have a new Secure Message

You have received a secure message from NatWest Bank

To read your secure message please click here. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser.
If you have concerns about the validity of this message, contact the sender directly.

First time users - will need to register after opening the attachment.
Help - https://securemail.natwest.com/websafe/ml/help?topic=RegEnvelope
The link in the email goes to goo.gl/dGDi7l and the downloads a ZIP file from berkleyequine.com/wp-includes/images/Documents-43632.zip, containing a malicious executable Documents-43632.scr which has a VirusTotal detection rate of  just 1/54. The CAMAS report shows that the malware calls out to the following URLs;

94.23.247.202/0108uk1/SANDBOXA/0/51-SP2/0/
94.23.247.202/0108uk1/SANDBOXA/1/0/0/
94.23.247.202/0108hk1/SANDBOXA/1/0/0/
94.23.247.202/0108ok1/SANDBOXA/1/0/0/
acanthe.be/css/01u1.rar
dirbeen.com/misc/01u1.rar
porfintengoweb.com/css/heap_61_id3.rar
sso-unidadfinanzas.com/images/heap_61_id3.rar
theothersmag.com/covers/opened.rar
firstfiresystems.com/css/slimbox/opened.rar

The characteristics of this malware are very similar to this one seen yesterday, and you can be assured that there are other goo.gl URLs and download locations in addition to the one listed here.

Because you can see the stats for any goo.gl URL just by adding a "+" on the end, it is possible to see who is clicking through. Oddly, there is not a single clickthrough from the UK where the NatWest bank is actually based.

Google don't make it easy to report spammy links and they are awfully slow to respond to reports, but their reporting form is at goo.gl/spam-report if you want to try it (I would recommend giving it a go).

Recommended blocklist:
94.23.247.202
acanthe.be
dirbeen.com
porfintengoweb.com
sso-unidadfinanzas.com
theothersmag.com
firstfiresystems.com
berkleyequine.com

Thursday, 31 July 2014

"Scanned Image from a Xerox WorkCentre" spam

This is a thoroughly old school spam with a malicious attachment.

Date:      Thu, 31 Jul 2014 18:16:08 +0000 [14:16:08 EDT]
From:      Local Scan [scan.614@victimdomain]
Subject:      Scanned Image from a Xerox WorkCentre

You have a received a new image from Xerox WorkCentre.

Sent by: victimdomain
Number of Images: 5
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: victimdomain

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

Guess what.. it isn't an image at all, but a ZIP file with the unusual name of Image_[_var=partorderb].zip which contain a malicious executable Image_07312014.scr, scoring a measly 1/54 at VirusTotal.

The Comodo CAMAS report shows that the malware downloads components from the following locations:

94.23.247.202/3107us2/SANDBOXA/0/51-SP2/0/
94.23.247.202/3107us2/SANDBOXA/1/0/0/
94.23.247.202/3107h2/SANDBOXA/1/0/0/
94.23.247.202/3107op2/SANDBOXA/1/0/0/
globe-runners.com/fichier_pdf/31u2.zip
lucantaru.it/docs/31u2.zip
mediamaster-2000.de/img/heap.zip
ig-engenharia.com/wp-content/uploads/2014/02/heap.zip
upscalebeauty.com/img/colors/teal/opened.zip
lagrimas.tuars.com/css/opened.zip


There are some further clues in the VirusTotal comments as to what the malware does. Sophos has also seen the 94.23.247.202 (OVH, France) IP before.

Recommended blocklist:
94.23.247.202
globe-runners.com
lucantaru.it
mediamaster-2000.de
ig-engenharia.com
upscalebeauty.com
lagrimas.tuars.com