Sponsored by..

Tuesday, 1 May 2012

PayPal Spam / 72.46.140.14

This fake PayPal spam leads to malware on 72.46.140.14:

Date:      Tue, 1 May 2012 14:31:26 +0300
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Enrique Peterson

   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Enrique Peterson
wcEnrique22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $140.00 USD
Payment     $60.00 USD
Payment sent to Enrique Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

The malicious payload is on 72.46.140.14/showthread.php?t=9d77a9163cda8dbe (report here) and is hosted by Versaweb in the US, suballocated to "Silver Knight Enterprises Corp" of Las Vegas.

Update: here is another variant

Date:      Tue, 1 May 2012 19:54:34 +0700
From:      "PayPal" [notify@paypal.com]
Subject:      RE:You just sent a payment to Jame Peterson


   
You just sent a payment
    Transaction ID: 2SM69324P0770102B
Hello xxxxxxxxxxxxxxx,
Thanks for using PayPal. It may take a few moments for this transaction to appear in your account.
Merchant
Jame Peterson
wcJame22@hotmail.com
    Note to Thad Peterson
You haven't sent a note.
Shipping address - confirmed
Michael Pepe
P.O. Box 173
Cheektowaga, NY�14225
United States
Total     $100.00 USD
Payment     $60.00 USD
Payment sent to Jame Peterson

   
Help Centre | Resolution Centre | Security Centre

This email was sent by an automated system, so if you reply, nobody will see it. To get in touch with us, log in to your account and click "Contact Us" at the bottom of any page.
Copyright � 2012 PayPal, Inc. All rights reserved. PayPal is located at 2211 N. First St., San Jose, CA 95131.

PayPal Email ID PP1526

Monday, 30 April 2012

LinkedIn spam / 74.91.120.210

This fake LinkedIn spam leads to malware on 74.91.120.210:

Date:      Mon, 30 Apr 2012 17:51:37 +0530
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 36 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.


The malicious payload is at 74.91.120.210/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Nuclearfallout Enterprises in the US.

91.121.84.204 / 64.244.61.40 malware

There's a spam run this morning (probably one of the familiar LinkedIn / Printer / CareerBuilder / Pizza / etc spams) that is trying to direct users to a malicious payload on 91.121.84.204:8080/showthread.php?t=34c79594e8b8ac0f (OVH, France. Wepawet report here) that then also tries to download an additional malware component from 64.244.61.40/rUPYeVt0.exe (cheekyshare.com, US).

Blocking access to these IPs would be prudent.

Friday, 27 April 2012

"Amazon.com Password Assistance" spam / healthcarewelbizness.com

The fake pill pushers are getting inventing, this spam leads to a fake pharma site on healthcarewelbizness.com :

Date:      Fri, 27 Apr 2012 04:47:10 +0000 (UTC)
From:      "Amazon.com" [account-update@amazone.com]
Subject:      Amazon.com Password Assistance

We received a request to reset the password associated with this e-mail address. Please follow the instructions below.

Click the link below to complete or cancel request using our secure server:

https://www.amazon.com/ap/forgotpassword?arb=cf4c17ba-4659-06c6-ff0f-58f6e8b50a66

If clicking the link doesn't seem to work, you can copy and paste the link into your browser's address window, or retype it there.

Amazon.com will never e-mail you and ask you to disclose or verify your Amazon.com password, credit card, or banking account number. Thanks for visiting Amazon.com!

healthcarewelbizness.com is hosted on 46.183.216.215 (Dataclub, Latvia) along with a whole load of other toxic websites that are best avoided.

"New message from.." spam / 74.91.114.83

Another variation in the never-ending malicious spam campaign that has been going on for months, leading to malware on 74.91.114.83.

Date:      Fri, 27 Apr 2012 07:13:47 -0300
From:      KristineLippitt@hotmail.com
Subject:      New message from KYLIE NIX

   
KYLIE NIX     3:01am April 27
Hello!

...

Click here to view full message


View Conversation on Facebook ?� Reply to this email to message KYLIE NIX.

The payload is on 74.91.114.83/showthread.php?t=34c79594e8b8ac0f (report here) hosted by TurkTelecom in Turkey.

CareerBuilder spam / popcows.net

These fake CareerBuilder messages attempt to download malware from popcows.net via a legitimate hacked site.

Date:      Fri, 27 Apr 2012 10:58:00 -0300
From:      Risa@site.careerbuilder.com
Subject:      You might be interested in this vacant position.


Hello,

I am a customer service representative at CareerBuilder. I found a vacant position at Security Finance Corporation that you may be interested in based on information from your resume or a recent online application you made on our site. You can review the position on the CareerBuilder site here:

Chief Business Development Officer


We wish you best of luck!


Risa
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

==========

Date:      Fri, 27 Apr 2012 18:52:37 +0530
From:      Deena@site.careerbuilder.com
Subject:      You might be interested in this vacant position.


Hello,

I am a customer service officer at CareerBuilder. I found a position at Security Finance Corporation that you may take interest in based on information from your resume or a recent online submission you made on our site. You can review the position on the CareerBuilder site here:

Customer Service Representative


We wish you best of luck!


Deena
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

The link tries to download from popcows.net/main.php?page=d024eabc8c2bdbfc (70.32.97.205 / Media Temple, US) which is 404ing at the moment, however it is still worth blocking it as a precaution.

LinkedIn spam / 50.116.23.176 and 64.244.61.40

Another LinkedIn spam leading to malware, this time on 50.116.23.176 and 64.244.61.40:

Date:      Fri, 27 Apr 2012 16:19:17 +0800
From:      "LinkedIn reminder" [reminder@linkedin.com]
Subject:      LInkedin pending messages

LinkedIn
REMINDERS

Invitation reminders:
• From Scott Burwell (Colleague at Nortel)


PENDING MESSAGES

• There are a total of 50 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2010, LinkedIn Corporation.
The malicious payload is on 50.116.23.176/showthread.php?t=9d77a9163cda8dbe (report here) hosted by Linode in the US. There is a subsequent download attempted from 64.244.61.40/rUPYeVt0.exe which appears to be a legitimate hacked server belonging to cheekyshare.com.

Twitter spam / medsdose.com

This fake Twitter spam leads to a fake pharmacy at medsdose.com but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 19:43:05 +0000
From:      Twitter [c-nfxzlxr=znvy-ba.hf-ae0dc@postmaster.twitler.com]
To:      xxxx@xxxx.com
Subject:      Unusual activity with your account!

Hi, xxxx@xxxx.com

Our system detected unusual activity associated with your account.

Your account may be temporarily suspended for violations of the Twitter Rules.

We suspend accounts for investigation if we suspect an account has been hacked or compromised.

You need to confirm your email address to regain access to your account.

Once you regain access, you will be able to request a new password for your Twitter account.

You can find information on following automations and permitted following behaviors on the help page:

https://support.twitter.com/

The Twitter Team

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

medsdose.com is hosted on 95.168.193.182 in the Czech Republic, this IP is used for several fake pharma sites and can be safely blocked.

205.251.65.190 / skill.ee malware

There's some spam run or other active at the moment directing users to a legitimate hacked site and then a malware page at 205.251.65.190/showthread.php?t=34c79594e8b8ac0f (report here), hosted by Big Brain Host in the US.

The site tries to download a malicious executable from www.skill.ee/4Jw.exe but at the moment that is failing with a 401 error. skill.ee looks like another legitimate hacked site, a common pattern with this type of attack.

Thursday, 26 April 2012

CareerBuilder spam / masterisland.net

Some fake CareerBuilder emails leading to malware on masterisland.net:

Date:      Thu, 26 Apr 2012 10:40:58 -0430
From:      Vielka@site.careerbuilder.com
Subject:      Careerbuilder.com has found a vacant position for you


Hello,

I am a customer service officer at CareerBuilder. I found an open position at Security Finance Corporation that you may take interest in based on details from your resume or a recent online submission you made on our site. You can review the position on the CareerBuilder site here:

Chief Business Officer


Best wishes in your job search!


Vielka
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

=======================

Date:      Thu, 26 Apr 2012 17:10:21 +0200
From:      Gretchen@site.careerbuilder.com
Subject:      Careerbuilder.com has found a vacant position for you


Hello,

I am a customer service representative at CareerBuilder. I found a position at Security Finance Corporation that you may find attactive based on information from your resume or a recent application you made on our site. You can review the position on the CareerBuilder site here:

Chief Human Resources Officer


We wish you best of luck!


Gretchen
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

=======================

Date:      Thu, 26 Apr 2012 17:15:13 +0200
From:      Vielka@site.careerbuilder.com
Subject:      You might be interested in this vacant position.


Hello,

I am a customer service officer at CareerBuilder. I found an open position at Security Finance Corporation that you may take interest in based on information from your resume or a recent application you made on our site. You can review the position on the CareerBuilder site here:

Chief administrative officer


Best wishes in your job search!


Vielka
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

=======================

Date:      Thu, 26 Apr 2012 21:09:52 +0530
From:      Karen@site.careerbuilder.com
Subject:      You might be interested in this position.


Hello,

I am a customer service employee at CareerBuilder. I found a position at Security Finance Corporation that you may be interested in based on details from your resume or a recent online application you made on our site. You can review the position on the CareerBuilder site here:

Chief Financial Officer


Best of luck to you in your job search!


Karen
Careerbuilder Customer Service Team
CareerBuilder ,5550-A Peachtree Parkway , Norcross, GA 30092

You are currently subscribed to receive "CareerBuilder.com Customer Messages" as service@careerbuilder.com
You can modify your account info or unsubscribe from this email at any time.

The link in the email goes through a legitimate hacked site to a payload on masterisland.net/main.php?page=975982764ed58ec3 (report here) hosted on 70.32.97.205 (Media Temple, US). There seem to be a lot of these spams coming out right now, so this is worth blocking.

LinkedIn spam / 199.115.229.55

This LinkedIn spam leads to malware on 199.115.229.55 after bouncing through a couple of legitimate hacked sites, a technique that we haven't seen for a couple of weeks.

Subject:     Signal LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
•  From Scott Burwell (Product Director at SNCF)



PENDING MESSAGES

• There are a total of 44 messages awaiting your response. Visit your InBox now.


Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.
The malware is on 199.115.229.55/showthread.php?t=977334ca118fcb8c (report here) hosted by Volumedrive in the US, which subsequently tries to download further malware from electrosa.com/8zvW2XE.exe (a site that has been used a lot in recent days). That domain and IP are worth blocking.

Facebook spam / bioldrugstore.com

This fake Facebook spam leads to a fake pharma site, but it could easily be adapted for malware.

Date:      Thu, 26 Apr 2012 09:33:46 -0700
From:      "Facebook" [notification+xxxxxxxxxxx@facebookemail.com]
Subject:      Welcome back to Facebook

Hello,

The Facebook account associated with xxxxxxxxxxx was recently reactivated.

If you were not the one who reactivated this account, please visit our Help Center to cancel the request.

http://www.facebook.com/help/?topic=security

Thanks,
The Facebook Team

The payload is a pharma site at bioldrugstore.com hosted on 61.132.200.24 and 111.123.180.9 in China (two IPs that are full of fake pharma stores) and 213.162.209.177 in Spain.

This type of spam run can easily be adapted for malware, so keep an eye out for unexpected Facebook notifications.

Wednesday, 25 April 2012

Facebook spam / 216.119.142.235

Some fake Facebook spam leading to malware, this time on 216.119.142.235.

Date:      Wed, 25 Apr 2012 05:48:16 +0200
From:      Facebook [notification+n6vn0x357cp5@facebookmail.com]
Subject:      CARMELLA OSBORN wants to be friends on Facebook.

facebook
CARMELLA OSBORN wants to be friends with you on Facebook.
   
CARMELLA OSBORN

Confirm Friend Request
   
See All Requests
This message was sent to xxxxxxxxxxxx. If you don't want to receive these emails from Facebook in the future or have your email address used for friend suggestions, please click: unsubscribe.

Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303  

The malicious payload can be found on 216.119.142.235/showthread.php?t=34c79594e8b8ac0f (report here) hosted by A2 Hosting in the US.

Something evil on 85.17.222.80, lpicture.info and ghjvodka.info

Some sites appear to have been hit by a sophisticated multi-part injection attack that triggers only once per IP (so difficult to track down).

There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:

sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in

There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.

The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:

ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info

This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.

Something evil on 82.211.45.81 and 82.211.45.82

82.211.45.81 (Accelerated IT Services GmbH, Germany) is another server with a bunch of subdomains of hacked GoDaddy accounts, apparently being used to deliver payloads from other sites that have a hacked .htaccess file.

82.211.45.0/24 doesn't appear to host anything at all apart from these malicious sites and is a good candidate to block.

The hacked GoDaddy accounts have been set to point everything except www. to the server on 82.211.45.81. Hacked domains on this server appear to be:

revolution-clan.com
banknewsdirectories.com
psychicwireless.com
greenbankingemagazine.com
greenbankingemag.com

Many of these hijacked domains are registered to:

   BankNews Publications
   5115 Roe Blvd, Ste 200
   Shawnee Mission, Kansas 66205
   United States

It appears that BankNews Publications have lost control of their GoDaddy account.

82.211.45.81 will actually resolve for any subdomain at all for these hacked domains, but these are a sample of malicious subdomains hosted on this server:

jiqjmiglxjmedma.greenbankingemagazine.com
xihjpxpomxfjra.greenbankingemagazine.com
eqokikmxjmivxhb.greenbankingemagazine.com
xhfbjaimtcxmymb.greenbankingemagazine.com
hrxjxmesskisnxb.greenbankingemagazine.com
icmiiycxxfmevhxdc.greenbankingemagazine.com
imliismmsfdxtld.greenbankingemagazine.com
iayxdmbrqsmue.greenbankingemagazine.com
frbiptiuimxsmwe.greenbankingemagazine.com
xhbixmhmmipxsnkye.greenbankingemagazine.com
ibimuijzrxqlgmf.greenbankingemagazine.com
eimxgjruxpf.greenbankingemagazine.com
xgbgpuicyxmcsf.greenbankingemagazine.com
ixmfisqirydauf.greenbankingemagazine.com
bmnufhoixlg.greenbankingemagazine.com
hqvqbwmqqimxxmg.greenbankingemagazine.com
axvsiqiyminyug.greenbankingemagazine.com
gfmeivxnpiizfh.greenbankingemagazine.com
cxvrqiorimxgh.greenbankingemagazine.com
emkksximxuwiglh.greenbankingemagazine.com
mxmgohioxwexnyh.greenbankingemagazine.com
ijxeowhxemiumuij.greenbankingemagazine.com
gizhpirtxlmxmmkrj.greenbankingemagazine.com
exvmxopmispfwj.greenbankingemagazine.com
jmisxvxyxkymymsk.greenbankingemagazine.com
mipboqmkhxk.greenbankingemagazine.com
hlxgpiwhmemkmxk.greenbankingemagazine.com
gnmmbuoikxphiml.greenbankingemagazine.com
wehherixammvmsl.greenbankingemagazine.com
mxesvvmjvrmipixl.greenbankingemagazine.com
gmxsgedclvimin.greenbankingemagazine.com
mhvhfxixmauoun.greenbankingemagazine.com
xmltmwnixunvjo.greenbankingemagazine.com
xiegvmslxpqxiicp.greenbankingemagazine.com
miexxiivpfrcstmp.greenbankingemagazine.com
ixxevkmeipurmnp.greenbankingemagazine.com
emhxxjikflnimyp.greenbankingemagazine.com
ixicqgodvmisgq.greenbankingemagazine.com
gxcoximiwdidyjhq.greenbankingemagazine.com
exhymgkixnilbr.greenbankingemagazine.com
gcjnigxxmgvkir.greenbankingemagazine.com
hbjpmjfwmvidmxir.greenbankingemagazine.com
xeftvrmijbjr.greenbankingemagazine.com
imgximffxnzhhemr.greenbankingemagazine.com
cqimhvmrxrmbnr.greenbankingemagazine.com
xifmcxfairyuymt.greenbankingemagazine.com
mxhlieitefmkpt.greenbankingemagazine.com
xmfxiignkgefzlu.greenbankingemagazine.com
mmfimxggguihjxyu.greenbankingemagazine.com
thiqxxtgisqobmiv.greenbankingemagazine.com
dmxinxeoesimxivmjpv.greenbankingemagazine.com
foxfqgqaimkrv.greenbankingemagazine.com
mcbhxyxnikwrhw.greenbankingemagazine.com
bjetxchegicmiy.greenbankingemagazine.com
xfxpizijvmmsrqiy.greenbankingemagazine.com
gxrimhyukcxmiujy.greenbankingemagazine.com
mhmxjnpincxqly.greenbankingemagazine.com
iesqabdoumximz.greenbankingemagazine.com
ihmmlxgpyykvmz.greenbankingemagazine.com
hncrpmvdxibixmxa.greenbankingemag.com
cjkximmyjmgixvbza.greenbankingemag.com
himrnxxzwoiumza.greenbankingemag.com
gumiivcoiexfvmc.greenbankingemag.com
iihxmxrlyizympzc.greenbankingemag.com
mgifxrmvjmid.greenbankingemag.com
fimbigxycwibfme.greenbankingemag.com
hrxijizjivtjcmf.greenbankingemag.com
mmgobixyixhemqyig.greenbankingemag.com
lkqjimmimxgng.greenbankingemag.com
gsnxmimxixfsqihymkh.greenbankingemag.com
bjaxieuamimvxvph.greenbankingemag.com
mesxxlhiosh.greenbankingemag.com
ihjuxbmfkxznixh.greenbankingemag.com
mfhkcifavyxxh.greenbankingemag.com
hsmxmmndvxigxsidij.greenbankingemag.com
zsmbdqvbimbxrik.greenbankingemag.com
jxumeqpvhipixk.greenbankingemag.com
jyzxmxktxipl.greenbankingemag.com
mhupgmtgixkbn.greenbankingemag.com
zexrmixhxqvtsrin.greenbankingemag.com
goxixmggdxrdmpn.greenbankingemag.com
meirqvmmxjjxqkio.greenbankingemag.com
hirqrexuxixadmo.greenbankingemag.com
bxlfiszdqdxmixrip.greenbankingemag.com
hqucyipjmoxmp.greenbankingemag.com
ixhrhjmvllifxgmr.greenbankingemag.com
alvpvmboxixgsu.greenbankingemag.com
immhrnjpomieijxu.greenbankingemag.com
eailofxsmlwxaw.greenbankingemag.com
hrbfigxmkgy.greenbankingemag.com
mihskdifqfnxmcxy.greenbankingemag.com
mehjuxipsnbib.revolution-clan.com
hmjujigmkxfgxb.revolution-clan.com
gxqemihgmxfmtec.revolution-clan.com
mailbfhqcxqnc.revolution-clan.com
hxlilulrxmmqvc.revolution-clan.com
xeiaocohgixjme.revolution-clan.com
ltmxmjpxrmopioe.revolution-clan.com
idbkkgmjxymkipf.revolution-clan.com
cixvitmkguocxf.revolution-clan.com
hxpmvviqqpixiag.revolution-clan.com
fmxrxvmwimnzhiyig.revolution-clan.com
mfaoodswxixiekxg.revolution-clan.com
fmexxnnuiqihmfh.revolution-clan.com
imgjoxmrutfihj.revolution-clan.com
caxilhipuqumhmj.revolution-clan.com
igrjonnqgxximximj.revolution-clan.com
zkziwmijjxhobxmj.revolution-clan.com
mxwyxspkzbjmipk.revolution-clan.com
hxtsvxvtifmvirk.revolution-clan.com
gmsixlmqohxxql.revolution-clan.com
mhsjwmiehbxpiln.revolution-clan.com
emhinyyybqfxo.revolution-clan.com
jsxkmlxbxjreiq.revolution-clan.com
mmjvxexmyiravxnq.revolution-clan.com
xxacnrzimihhxayq.revolution-clan.com
xfhioimkynmltfs.revolution-clan.com
gebdxeivxhmls.revolution-clan.com
amibxpmvxjizqmvht.revolution-clan.com
igevqsxmnxqdmiit.revolution-clan.com
hmxjmiiugnxrhou.revolution-clan.com
meiqpqixrhamxzu.revolution-clan.com
hpiixmflehmmv.revolution-clan.com
xamiyicvhlxmiuov.revolution-clan.com
bshmmvxmvngixv.revolution-clan.com
ximxelmimdariya.banknewsdirectories.com
xihreeumnkkb.banknewsdirectories.com
xfgngivmpinmlb.banknewsdirectories.com
hxmrvtgfivivb.banknewsdirectories.com
eipcnxptdmximc.banknewsdirectories.com
mfrixougkoixmoc.banknewsdirectories.com
lxiqxmckvfe.banknewsdirectories.com
mfimgoexrmxkrliie.banknewsdirectories.com
epijmmqfqorxie.banknewsdirectories.com
fiihgxgeexmdvxme.banknewsdirectories.com
hzdxvktqcimxe.banknewsdirectories.com
fihlysaiajxmf.banknewsdirectories.com
cyismxdeixorrf.banknewsdirectories.com
gmsvijiqpxuxxmsrf.banknewsdirectories.com
migsoowwmrbxf.banknewsdirectories.com
wvixxyqemxf.banknewsdirectories.com
ijraqaymmmixbg.banknewsdirectories.com
migydrxjietrmg.banknewsdirectories.com
maxmiuxynjuiyg.banknewsdirectories.com
gifkkxiejimeah.banknewsdirectories.com
hqymxltxxiymztk.banknewsdirectories.com
lrmbkemoxpumil.banknewsdirectories.com
lmruitlmoxbbxil.banknewsdirectories.com
fievxumflwumnl.banknewsdirectories.com
mgeooxipnimpwl.banknewsdirectories.com
mgsrbgnnmiinixxl.banknewsdirectories.com
ibxevkxnkxvmnyl.banknewsdirectories.com
grmxbxximpomilfizl.banknewsdirectories.com
ihvmqxxmixkmgnqbn.banknewsdirectories.com
eymmnmzoihxnhxn.banknewsdirectories.com
mhpmiyrpciixvmko.banknewsdirectories.com
glxlzxkimizkmilmo.banknewsdirectories.com
xcjuvlmimisuklxo.banknewsdirectories.com
ihqxkiompoixqjp.banknewsdirectories.com
ijpixxmxwokpcipp.banknewsdirectories.com
gqveemmjoiexp.banknewsdirectories.com
fepxmehilsxkgq.banknewsdirectories.com
hpmiuvdxdimiuxbr.banknewsdirectories.com
grprpxmvrmoimr.banknewsdirectories.com
mxomwibexks.banknewsdirectories.com
hxipmtiaxyslxlms.banknewsdirectories.com
xihxjolxstjmits.banknewsdirectories.com
emkkdxmxykfiys.banknewsdirectories.com
maxfvubvisqmmbt.banknewsdirectories.com
eemimqmfgnilsxiju.banknewsdirectories.com
jiswfixzydxmkxv.banknewsdirectories.com
gitxipmcmhbuxmsw.banknewsdirectories.com
imhomjflumixysw.banknewsdirectories.com
icfrmirfynxmay.banknewsdirectories.com
cxiajrmuxugmrhy.banknewsdirectories.com
amlxxkbselyoiy.banknewsdirectories.com
fbomuvlimcjbxxiy.banknewsdirectories.com
hmxoigtxrnifmikmy.banknewsdirectories.com
ifmunqxvmorsa.psychicwireless.com
ibjcxymktdqnmximb.psychicwireless.com
hlliwutmbxmxvb.psychicwireless.com
jbximmiskbxamxqec.psychicwireless.com
xjiaursmvcoixc.psychicwireless.com
idkifjufidxmjfe.psychicwireless.com
idkmrxqkposxtme.psychicwireless.com
efqfxnqjeismif.psychicwireless.com
xxhalhimsxhisvoif.psychicwireless.com
xfmsoppgmijwmxif.psychicwireless.com
frmnxukmcaixlf.psychicwireless.com
hihhxeumtmkamf.psychicwireless.com
bpmxkieeehxyxf.psychicwireless.com
xiihcjhrmoxfndg.psychicwireless.com
xhmmgrkvoqvig.psychicwireless.com
mhrmmxxndxiknntg.psychicwireless.com
xixgvjvlqymwxg.psychicwireless.com
mixxbmvzlhksmzg.psychicwireless.com
imhxbgqgmvgyxidh.psychicwireless.com
ieirocexviomeh.psychicwireless.com
xftiimyeksmrmxaj.psychicwireless.com
xaltixqgmegqhj.psychicwireless.com

Update: it seems that  the adjacent IP, 82.211.45.82, is also hosting a similar set of malicious sites.

xmwyrwhkqlhpm.magasinez-en-vrac.com
fmyyxxhgthyr.magasinez-en-vrac.com
hfiuqgcixyoy.magasinez-en-vrac.com
wqkxgkpxxmiukyr.cashbackdevil.com
fixolsmhiahjs.cashbackdevil.com

Tuesday, 24 April 2012

LinkedIn Spam / leckrefotzen.net

Oh my. Yet another LinkedIn spam run..

Date:      Tue, 24 Apr 2012 16:31:34 -0300
From:      "Russ Connor" [enviousnessi07@linkedin.com]
Subject:      LinkedIn Reminder


LinkedIn
REMINDERS

Invitation notifications:
? From Chaney Cameron (Your Colleague)


PENDING MESSAGES

? There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. � 2010, LinkedIn Corporation.

The link in the message goes to a malware site at leckrefotzen.net/main.php?page=b7ff54d52bf8dd24 (report here) hosted on the familiar IP address of 41.64.21.71 in Egypt. Blocking this IP address would be an excellent idea. Or you could just block linkedin.com emails altogether which would be no great loss either.

nikjju.com injection attack in progress

The ISC is warning of an injection attack using the domain nikjju.com. The WHOIS details of this domain are very familiar:

Registrant Contact:
   JamesNorthone
   James Northone jamesnorthone@hotmailbox.com
   +1.5168222749 fax: +1.5168222749
   128 Lynn Court
   Plainview NY 11803
   us

The hotmailbox.com domain is a sign of evil, and these are likely to be the "LizaMoon" crew who have been very active over the past couple of years. nikjju.com is hosted on 31.210.100.242 (INTER NET BILGISAYAR LTD STI, Turkey although blocking the domain will help as well because these malicious sites tend to be highly mobile.

Myspace spam / newprescriptionmedical.com

This spam leads to a fake pharmacy on newprescriptionmedical.com, but it could be easily adapted for malware.

Date:      Tue, 24 Apr 2012 20:13:58 -0700
From:      "Myspace" [noreply@message.myspace.com]
Subject:      Account Cancellation

myspace

Your request to cancel your Myspace account has been received.

You must follow this link to complete or cancel your request.

You will receive an email shortly with instructions for confirming that you wish to cancel.
Thank you for using Myspace!

The Myspace Team
http://www.myspace.com

Have questions? Visit our help page. Myspace, 8391 Beverly Blvd, #349, Los Angeles, CA 90048.
� Myspace Inc. All Rights Reserved.


newprescriptionmedical.com is hosted on 95.168.193.182 (Supernetwork, Czech Republic) along with a bunch of other fake pharma sites and is worth blocking.

US Airways Spam / 208.117.43.8

Another US Airways spam run, leading to malware on 208.117.43.8 (as with this Pizza spam campaign).

Date:      Tue, 24 Apr 2012 20:12:38 +0700
From:      "US Airways - Reservations" [reservations@myusairways.com]
Subject:      Please confirm your US Airways online registration.
   
You can check in from 24 hours and up to 60 minutes before your flight (2 hours if you're flying abroad). After that, all you have to do is print your boarding pass and head to the gate.

Confirmation code: 749251

Check-in online: Online reservation details



   
Flight

6138    
Departure city and time

Washington, DC (DCA) 10:00PM

Depart date: 4/5/2012    



We are committed to protecting your privacy. Your information is kept private and confidential. For information about our privacy policy visit usairways.com.

US Airways, 111 W. Rio Salado Pkwy, Tempe, AZ 85281 , Copyright US Airways , All rights reserved.

====================

Some other subjects include:
Confirm your US airways online reservation.
US Airways online check-in confirmation.


The malicious payload is on 208.117.43.8/showthread.php?t=73a07bcb51f4be71(report here). Blocking this IP would probably be a good idea.

Pizza spam / 208.117.43.8

Another Pizza spam leading to malware:

Date:      Tue, 24 Apr 2012 02:21:42 +0800
From:      "ORSO`s Pizzeria"
Subject:      Re: Fwd: Order confirmation 93278

You've just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Ham
- Italian Sausage
- Chicken
- Black Olives
- Green Peppers
- Pineapple
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Italian Sausage
- Pork
- Chicken
- Diced Tomatoes
- Black Olives
- Easy On Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Italian Sausage
- Pork
- Diced Tomatoes
- Onions
- Jalapenos
- Easy On Cheese
- No Sauce
Pizza Meat Lover's with extras:
- Italian Sausage
- Black Olives
- Black Olives
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Triple Meat Italiano with extras:
- Ham
- Beef
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Ultimate Cheese Lover's with extras:
- Italian Sausage
- Pepperoni
- Onions
- Onions
- No Cheese
- Easy On Sauce
Drinks
- Carling x 3
- Hancock x 3
- Dr. Pepper x 4
Total Due:    131.51$



If you haven't made the order and it's a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!


If you don't do that shortly, the order will be confirmed and delivered to you.


With Respect
ORSO`s Pizzeria
The malware is hosted on 208.117.43.8/showthread.php?t=34c79594e8b8ac0f (report here) hosted by Steadfast Networks in the US. There's also an attempted download of an executable from electrosa.com/8zvW2XE.exe on 188.40.0.195 (Hetzner, South Africa) although this looks like a legitimate hacked site.