Verizon Wireless spam / keurigminis.net

This spam leads to malware on keurigminis.net:

Date:      Wed, 20 Jun 2012 16:37:06 +0100
From:      "AccountNotify@verizonwireless.com" [eAccountNotify@verizonwireless.com]
Subject:      Verizon wireless online bill.



   
    �
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $46.62
Scheduled Automatic Payment Date: 05/29/2012
Keep in mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

 View and Pay Your Bill

Thank you for choosing Verizon Wireless.

   

   
My Verizon is also available 24/7 to assist you with:
Viewing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
   


2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 180WVB | Basking Ridge, NJ 07920
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.

The malicious payload is at [donotclick]keurigminis.net/main.php?page=c3c45bf60719e629 (report here) hosted on 109.169.86.139 (Rapidswitch / iomart Hosting Ltd / ThrustVPS, UK).

BBB Spam / sushfpappsbf.ru

I have't seen any fake BBB spam for a while, but here it is.. this new spam run leads to malware on sushfpappsbf.ru.

Date:      Wed, 20 Jun 2012 05:20:45 +0100
From:      LamarHF4AF78ZFq@gmail.com
Subject:      Urgent information from BBB

Attn: Owner/Manager

Here with the Better Business Bureau notifies you that we have received a complaint (ID 615337145)
from one of your customers with respect to their dealership with you.

Please open the COMPLAINT REPORT below to obtain more information on this matter and let us know of your point of view as soon as possible.

We are looking forward to your prompt reply.
Regards,

Lamar WILHELM

The malicious payload is at [donotclick]sushfpappsbf.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:

94.20.30.91 (Delta Telecom, Azerbaijan)
124.124.212.172 (Reliance Communications, India)
173.224.209.130 (Psychz Networks, US)
213.17.171.186 (Netia SA, Poland)

The following IPs and domain names are connected with this malware run and should be blocked if you can:

78.83.233.242
89.111.177.151
94.20.30.91
110.234.176.99
124.124.212.172
173.224.209.130
213.17.171.186
girlsnotcryz.ru
harmoniavslove.ru
huletydyshish.ru
monashkanasene.ru
pekarniamsk.ru
piloramamoskow.ru
saprolaunimaxim.ru
seledkindoms.ru
sumatranajuge.ru
sushfpappsbf.ru

"UPS Quantum View" spam / leadgems.net

A new version of this malicious spam run is under way, this time with a malicious payload at leadgems.net.

The payload page is at [donotclick]leadgems.net/main.php?page=940489e6fc8f17ed (report here) which is hosted on 192.84.186.206 (Seinajoki University of Applied Sciences, Finland).. presumably a hacked server.

Blocking access to 192.84.186.206 will prevent any other malicious sites on the same server from causing a problem.

"Your UPS shipment tracking number" / autobouracky.net

Another UPS spam leading to malware, this time on autobouracky.net:

From:     UPS Quantum View auto-notify@ups.com
Date:     15 June 2012 14:34
Subject:     Your UPS shipment tracking number.

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online
My Choice

   

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Important Delivery Information

Scheduled Delivery: 09-May-2012

Shipment Detail
Ship To:
xxxxxxxxxx
CSI SECURITY
2269 JEFFERIES HWY.
WALTERBORO
SC
29488
US

Number of Packages:     1
UPS Service:     GROUND
Weight:     9.0 LBS

Tracking Number:     1ZX603R40369384687
Reference Number 1:     47479
Reference Number 2:     20872

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.



____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

© 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.  If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

The malicious payload is at [donotclick]autobouracky.net/main.php?page=0e1cb9b71ef021b2 (report here) which is hosted on 173.208.252.207 (Datashack, US).

rzmanagement.ru / "Rock Zone Management" fake job offer

Another fake job offer in this long running scam:

Date:      Fri, 15 Jun 2012 23:17:59 +0900
Subject:      Job Application Pending

Hello xxxxxxxxx


Thank you for submitting your information for potential employment opportunities.
We look forward to reviewing your application,
but can not do so until you complete our internal application.

Prior to begin able to be considered, you will first need you to formally apply.
Please go here to begin the process:

http://rzmanagement.ru

Also, the following perks are potentially available:

- Paid Time Off
- Health Benefits Package
- Higher than average salaries
- Tuition Reimbursement
- Extensive 401(k)program

Please take the time to follow the directions and complete the entire application process.

******************

There is no job on offer, the idea of the spam is to get you to sign up for a credit check and some get-rich-quick schemes.

rzmanagement.ru is hosted on 91.217.162.214 (Voejkova Nadezhda, Ukraine) which hosts several other scam sites. You might want to consider blocking access to 91.217.162.0/24 if these are bothering you.

"Verizon wireless online bill" spam / savecoralz.net

This fake Verizon Wireless spam leads to malware on savecoralz.net:

Date:      Thu, 14 Jun 2012 18:20:21 +0200
From:      "AccountNotify@verizonwireless.com" [eAccountNotify@verizonwireless.com]
Subject:      Verizon wireless online bill.



   
    �
Important account information from Verizon Wireless
Your current bill for your account ending in XXXX-XX001 is now available online in My Verizon
Total Balance Due: $46.62
Scheduled Automatic Payment Date: 05/29/2012
Keep in mind that payments and/or adjustments made to your account after your bill was generated will be deducted from your automatic payment amount.

> View and Pay Your Bill

Thank you for choosing Verizon Wireless.

   

   
My Verizon is also available 24/7 to assist you with:
Viewing your usage
Updating your plan
Adding Account Members
Paying your bill
Finding accessories for your devices
And much, much more...
   


2011 Verizon Wireless
Verizon Wireless | One Verizon Way | Mail Code: 180WVB | Basking Ridge, NJ 07920
We respect your privacy. Please review our privacy policy for more information

If you are not the intended recipient and feel you have received this email in error; or if you
would like to update your customer notification preferences, please click here.

   
The malicious payload is exactly the same as used in this attackwhich is running at the same time.

UPS Spam / savecoralz.net and autosnort.net

This fake UPS spam leads to malware on savecoralz.net:

Date:      Thu, 14 Jun 2012 20:52:08 +0200
From:      "UPS Quantum View" [auto-notify@ups.com]
Subject:      Track your UPS delivery online.

Discover more about UPS:
Visit www.ups.com
Sign Up For Additional E-Mail From UPS
Read Compass Online

  

This message was sent to you at the request of ICRealtime Security Solutions LLC to notify you that the electronic shipment information below has been transmitted to UPS. The physical package(s) may or may not have actually been tendered to UPS for shipment. To verify the actual transit status of your shipment, click on the tracking link below or contact ICRealtime Security Solutions LLC directly.

Important Delivery Information

Scheduled Delivery: 09-May-2012

Shipment Detail
Ship To:
xxxxxxxxxx
CSI SECURITY
2269 JEFFERIES HWY.
WALTERBORO
SC
29488
US

Number of Packages:     1
UPS Service:     GROUND
Weight:     9.0 LBS

Tracking Number:     1ZX603R40369384687
Reference Number 1:     47479
Reference Number 2:     20872

Click here to track if UPS has received your shipment or visit
http://www.ups.com/WebTracking/track?loc=en_US on the Internet.



____2@@2@@2wowT7qQAXmBSs4ogrWusagY4wa____

� 2012 United Parcel Service of America, Inc. UPS, the UPS brandmark, and the color brown are trademarks of United Parcel Service of America, Inc. All rights reserved.
For more information on UPS's privacy practices, refer to the UPS Privacy Policy.
Please do not reply directly to this e-mail. UPS will not receive any reply message.
For questions or comments, visit Contact UPS.

This communication contains proprietary information and may be confidential.� If you are not the intended recipient, the reading, copying, disclosure or other use of the contents of this e-mail is strictly prohibited and you are instructed to please delete this e-mail immediately.
Privacy Notice
Contact UPS

Other subjects include:
Your UPS delivery tracking number.
Your UPS shipment tracking number.

The malicious payload is at [donotclick]savecoralz.net/main.php?page=2a709dab1e660eaf (report here) hosted on the following IPs:

109.164.221.176 (Swisscom, Switzerland)
46.162.27.165 (Interphone, Ukraine)

The domain autosnort.net is hosted on the same IPs and is probably also malicious.

Plain list for copy-and-pasting:

109.164.221.176
46.162.27.165
savecoralz.net
autosnort.net

Apparently FilesTube are handling tax payments now..

Apparently FilesTube are handling tax payments now.. or maybe some malware spammer has gotten their campaign confused.

Date:      Thu, 14 Jun 2012 06:14:40 +0300
From:      "FilesTube" [filestube@filestube.com]
Subject:      Tax Payment N 98426758 is failed.

Hello,


Your Federal Tax Payment ID: 08432389 has been rejected.

Return Reason Code C11 � The identification number used in the Company Identification Field is not valid.


Please, check the information and refer to Code U 56 to get details about

your company payment in transaction contacts section:



http://eftps.gov/N6936721773



CARLY BLOCK,

The Electronic Federal Tax Payment System

The link goes to a malicious page at [donotclick]sumatranajuge.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is multihomed on the following IPs:

78.83.233.242 (Spectrum Net JSC, Bulgaria)
110.234.176.99 (Tulip Telecom, India)
173.224.209.130 (Psychz Networks, US)
213.17.171.186 (Netia SA, Poland)

Plain list for copy-and-pasting:
78.83.233.242
110.234.176.99
173.224.209.130
213.17.171.186

Related domains:
huletydyshish.ru
saprolaunimaxim.ru
seledkindoms.ru
girlsnotcryz.ru
sumatranajuge.ru

"American Airlines Order" / saprolaunimaxim.ru

This fake American Airlines spam leads to malware on saprolaunimaxim.ru:

From: "Tereasa Mcwilliams" [lourdes@petalfresh.net]
Date: 14 June 2012 01:36:47 GMT+01:00
Subject: FWD: American Airlines Order


Dear Customer,

FLIGHT NUMBER A47-282
DATE & TIME / JUNE 26, 2012, 12:148 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 285.54 USD

Please download and print out your ticket here:
DOWNLOAD

Amercian Airlines

The malicious payload is at [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) which is the same as used in this attack two days ago, however since then the IPs have changed to:

78.83.233.242 (Spectrum Net JSC, Bulgaria)
173.224.209.130 (Psychz Networks, US)

The following domains and IPs are related and should be blocked if you can:
50.57.43.49
50.57.88.200
78.83.233.242
89.108.75.155
89.111.177.151
173.224.209.130
187.85.160.106
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
huletydyshish.ru
insomniacporeed.ru
paranoiknepjet.ru
pekarniamsk.ru
piloramamoskow.ru
pistolitnameste.ru
puleneprobivaemye.ru
pushkidamki.ru
saprolaunimaxim.ru
seledkindoms.ru
spbfotomontag.ru
uzindexation.ru

LinkedIn spam / 74.91.112.248

This fake LinkedIn spam appears to lead to a malicious payload on 74.91.112.248:

Date:      Wed, 13 Jun 2012 14:58:15 +0200
From:      "LinkedIn©" [mvclient@mediavisions.net]
Subject:      Express LinkedIn Mail

LinkedIn
REMINDERS

Invitation reminders:
• From kristen redshaw (Country General Manager at Toshiba)


PENDING MESSAGES

• There are a total of 3 messages awaiting your response. Visit your InBox now.

Don't want to receive email notifications? Adjust your message settings.

LinkedIn values your privacy. At no time has LinkedIn made your email address available to any other LinkedIn user without your permission. © 2012, LinkedIn Corporation.

The malicious payload is on [donotclick]74.91.112.248/page.php?p=88fe38de which is hosted on Nuclear Fallout Enterprises in the US.

"Your credit card is blocked" spam / seledkindoms.ru

This spam leads to malware on seledkindoms.ru:

Date:      Wed, 13 Jun 2012 05:27:07 -0500
From:      Michel Boudreaux via LinkedIn [member@linkedin.com]
Subject:      Your credit card is blocked

Dear Client,



CAUTION: Your credit card is blocked!



With your credit card was removed USD 58,05

Possibly illegal transaction!



VIEW YOUR STATEMENT





Immediately contact your bank .

Best Wishes, VISA Customer Services.

The malicious payload is at [donotclick]seledkindoms.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c hosted on the following IPs:

50.57.43.49 (Slicehost, US)
89.108.75.155 (Agava Ltd, US)

Here's another spam with the same payload:

Date:      Wed, 13 Jun 2012 06:21:51 +0200
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      clongmore, Please confirm your email address with Classmates

        Help us ensure your Classmates� notifications   
      
      
      
Hi xxxxxxxxxx,
Thanks for joining Classmates�. Please click the button below to help us ensure future email delivery.
Yes, this is xxxxxxxxxx �
Not xxxxxxxxxx, please click here.
      
   
   
Your account details
Registration Number: 3164106744
Email Address: xxxxxxxxxx
Your Password: 534B962E Change password
   
   
   
You can change your password to whatever you want.

Change it now �
   
      
      
   
    Tips on finding the posts, photos and stories that people
are sharing with your community.
      
      
    TO PROTECT YOUR PRIVACY:
Do not forward this email to anyone not authorized by you to access your profile. For more information, see our Privacy Policy.

You are receiving this email as part of your Memory Lane membership.

We are unable to respond to messages sent to this automated email address, so if you have questions or have received this message in error, visit the Online Help Center.

Memory Lane, Inc., d/b/a Classmates.com 333 Elliott Ave. W., Seattle, WA 98119
� 1995-2012 Memory Lane, Inc., d/b/a Classmates.com. All Rights Reserved.  

ff

"Confirm your Twitter account" spam / saprolaunimaxim.ru

This fake twitter spam leads to malware at saprolaunimaxim.ru.

Date:      Tue, 12 Jun 2012 12:43:11 -0500
From:      Twitter
Subject:      Confirm your Twitter account, xxxxxxxx!

Hi, xxxxxxxx.

Please confirm your Twitter account by clicking this link:

Please click here.

Once you confirm, you will have full access to Twitter and all future notifications will be sent to this email address.

The Twitter Team

If you received this message in error and did not sign up for a Twitter account, click not my account.

Please do not reply to this message; it was sent from an unmonitored email address. This message is a service email related to your use of Twitter. For general inquiries or to request support with your Twitter account, please visit us at Twitter Support.

The domain and payload appear to be the same as this spam. Avoid.

PayPal / eBay spam and kidwingz.net

These fake PayPal / eBay emails lead to malware:

Date:      Tue, 12 Jun 2012 16:56:54 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Ebay.com transaction details.


    Transaction ID: 24818126
Hello xxxxxxxxxxxxx,

You sent a payment of $847.48 USD to Quentin Cotton

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Fernando.Edwards@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
NY 13104-9402
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
PHOTAX PLASTIC SLIDE CASE PLUS 175 x 35mm SLIDES
Item# 263420914
    $847.48 USD     23     $847.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $847.48 USD
Payment     $847.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP108

===================


Date:      Tue, 12 Jun 2012 16:52:26 +0200
From:      "PayPal" [notify@paypal.com]
To:      xxxxxxxxxxxxx
Subject:      Your Paypal.com transaction confirmation.


    Transaction ID: 59064148
Hello xxxxxxxxxxxxx,

You sent a payment of $977.48 USD to Elijah Bray

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Abby.Ford@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
4787 Hyde Rd
WY 48034
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 347197370
    $977.48 USD     23     $977.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $977.48 USD
Payment     $977.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP646

The malicious payload is at [donotclick]kidwingz.net/main.php?page=614411383eef8d9 (report here) which is hosted at 68.71.222.8 (Disney Online, Florida) which is the same IP address used in this similar attack and is therefore definitely worth blocking.

"Your Flight Order А994284" / saprolaunimaxim.ru

This fake flight email leads to malware on saprolaunimaxim.ru.

From: Simonne Storey [sandy@krishermckay.com]
Subject: Your Flight Order А994284

Dear Customer,

FLIGHT NUMBER A45-342
DATE & TIME / JUNE 27, 2012, 10:140 PM
ARRIVING: NEW YORK JFK
TOTAL PRICE : 456.62 USD

Please download and print out your ticket here:
DOWNLOAD

Amercian Airlines{br[1-5]}

The link hoes to a malicious payload on [donotclick]saprolaunimaxim.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on the following IP addresses:

89.108.75.155 (Agava Ltd, Russia)
50.57.43.49 (Slicehost, US)
50.57.88.200 (Slicehost, US)

The following IPs and domains are also connected to this malware and should be considered hostile:
girlsnotcryz.ru
hamlovladivostok.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
pistolitnameste.ru
pushkidamki.ru
spbfotomontag.ru
stroby.ru
uzindexation.ru
31.17.189.212
50.57.43.49
50.57.88.200
89.108.75.155
184.106.200.65
187.85.160.106

partyysoon.info injection attack in progress

I haven't had much time to analyse this yet, but there seems to be some sort of injection attack using the domain partyysoon.info. It may be targeting sites in Sweden.

Malicious URLs (don't click these, obviously):
hxxp:||partyysoon.info/index.php
hxxp:||partyysoon.info/js_pa/F.class
hxxp:||partyysoon.info/Set.jar
hxxp:||gotchasworkspaces.in/duquduqu1/font.php
hxxp:||beards.christianmomsgetaways.com/index.php?p=b2e04035f7b91e43

These IPs and domains are all related to the attack:

5.10.65.142 (Spinor J Ltd / Ulrik Sjafalander, Sweden)
partyysoon.info
(Part of a small block of 5.10.65.136 - 5.10.65.143)

141.101.239.97 (Leadertelecom, Russia)
beards.christianmomsgetaways.com
volumea.offerscrate.com
wagea.hcop.com
sexof2a0b5.serveusers.com
sexo41e92f.serveusers.com
beds.fivedollarprogram.info
visitora.legitimatepaidsurveystips.info

69.65.42.35 (Gigenet, US)
gotchasworkspaces.in
kopachrats.info

Blocking access to these IPs might be prudent.

Wire Transfer / HP spam and pistolitnameste.ru

These two fake "wire transfer spams" lead to malware on pistolitnameste.ru

From: "AUSTIN MCDOWELL" [AUSTINMCDOWELLsXmqTdYQvU@hotmail.com]
Date: 11 June 2012 16:54:23 GMT+01:00
Subject: Fwd: Re: Wire Transfer
Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-1987953358499039
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)

=============

From: JessicaPecinousky@hotmail.com [mailto:JessicaPecinousky@hotmail.com]
Sent: 11 June 2012 07:13
Subject: Fwd: Wire Transfer Confirmation (FED 5419DS49)

Dear Bank Account Operator,
WIRE TRANSACTION: WIRE-84685588475552771
CURRENT STATUS: CANCELLED

You can find details in the attached file.(Internet Explorer file)

The spammers have their campaigns mixed up - the payload on this is a ZIP file with a HTML file called something similar to HP_DocumentN8983.htm which is the one they use for fake printer spam. The malicious payload is at [donotclick]pistolitnameste.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on 50.57.43.49 and 50.57.88.200 (both Slicehost, US).

The following domains are part of the same malware cluster and should also be avoided:
pistolitnameste.ru
puleneprobivaemye.ru
spbfotomontag.ru
pushkidamki.ru
mazdaforumi.ru
hamlovladivostok.ru
uzindexation.ru
holigaansongeer.ru
paranoiknepjet.ru
piloramamoskow.ru
girlsnotcryz.ru

PayPal Spam / itscholarshipz.net

These two PayPal spams lead to malware on itscholarshipz.net :

Date:      Mon, 11 Jun 2012 16:06:45 +0200
From:      "PayPal" [notify@paypal.com]
Subject:      Your Paypal Ebay.com payment.


    Transaction ID: 35580191
Hello xxxxxxxxxxxxxxx,

You sent a payment of $777.48 USD to Xavier Parrish

Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.
   

It may take a few moments for this transaction to appear in your account.

Seller

Alexis.Brady@yahoo.com     Note to seller
You haven't included a note.
Shipping address - confirmed
419-4138 Pharetra Rd.
AL 43438
United States
    Shipping details
The seller hasn't provided any shipping details yet.

Description     Unit price     Qty     Amount
Vintage photo sexy college girls 1990's or 2000's
Item# 908906055
    $777.48 USD     23     $777.48 USD
   
Shipping and handling     $0.00 USD
Insurance - not offered     ----
Total     $777.48 USD
Payment     $777.48 USD


   

Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP387

=====================


From: PayPal [mailto:notify@paypal.com]
Sent: 11 June 2012 15:09
Subject: Your Paypal.com transaction confirmation.




Transaction ID: 20148689

Hello xxxxxxxxxxxxxxx,
You sent a payment of $754.48 USD to  Quentin Cotton
Thanks for using PayPal. To see all the transaction details, Log In to your PayPal account.   
It may take a few moments for this transaction to appear in your account.
________________________________________

Seller

Myron.Newton@yahoo.com
Note to seller
You haven't included a note.
Shipping address - confirmed
Ap #834-5784 Venenatis Street
AL 43438
United States    Shipping details
The seller hasn't provided any shipping details yet.

Description    Unit price    Qty    Amount
TaylorMade R11 Driver Golf Club
Item# 003187238    $754.48 USD    23    $754.48 USD


Shipping and handling    $0.00 USD
Insurance - not offered    ----
Total    $754.48 USD
Payment    $754.48 USD
   



Issues with this transaction?
You have 45 days from the date of the transaction to open a dispute in the Resolution Center.

Questions? Go to the Help Center at: www.paypal.com/help.

Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click Help in the top right corner of any PayPal page.

You can receive plain text emails instead of HTML emails. To change your Notifications preferences, log in to your account, go to your Profile, and click My settings.


PayPal Email ID PP426

The malicious payload is at [donotclick]itscholarshipz.net/main.php?page=888c5b8a2e6174bc hosted on
68.71.222.8 (Disney Online, US) (report here). "Disney Online" appears to be some sort of ISP in Florida.

These other two domains are also hosted on that server and are probably worth avoiding:
defencesupernow.com
homeofficecaptioning.ru

IMDB "Your password is too weak" spam / thepharmhealth.com

This spam leads to a fake pharma site at thepharmhealth.com:

Date:      Sat, 9 Jun 2012 18:20:35 -0700 (PDT)
From:      IMDb User Protection [do-not-reply-here@imdb.com]
Subject:      Your password is too weak

This is an automatic message from the Internet Movie Database (IMDb) registration system.
Our system detected your password is too weak. Short passwords are easy to guess.

Please follow this link :

https://secure.imdb.com/password_update/imdb/74129625140408804050

If you used your IMDb password at any other sites, you'll need to change those passwords as well.

Regards,
IMDb User Protection help
http://imdb.com/register/

It's an interesting and novel approach, and it could easily be adapted for malware rather than fake prescriptions. thepharmhealth.com is hosted on 80.232.131.201 (SIA Lattelecom, Latvia).

Amazon.com spam / cool-mail.net

These fake Amazon.com spam emails lead to malware on cool-mail.net:

Date:      Fri, 8 Jun 2012 10:26:01 -0600
From:      Amazon.com (digital-no-reply@amazon.com)
Subject:      Your Kindle e-book Amazon.com receipt.

Thanks for your order, xxxxxxxxxxxx!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Information:

E-mail Address: xxxxxxxxxxxx
Billing Address:
Av.
GAHANNA
United States
Phone: 1-564-536-5200

Order Grand Total: $ 89.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     Y32-4367039-9487640
Subtotal of items:     $ 89.99
    ------
Total before tax:     $ 89.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 80.00
Gift Certificates:     $ 9.99
    ------
Total for this Order:     $ 89.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
The Witness by Nora Roberts [Kindle Edition] $ 89.99
Sold By: Random House Digital, Inc.

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.

Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Thanks again for shopping with us.

Amazon.com
Earth's Biggest Selection

Prefer not to receive HTML mail? Click here


=================


Date:      Fri, 8 Jun 2012 21:55:42 +0530
From:      Amazon.com (digital-no-reply@amazon.com)
Subject:      Your Amazon.com order confirmation.

Thanks for your order, xxxxxxxxxxxx!

Did you know you can view and edit your orders online, 24 hours a day? Visit Your Account.

Order Information:

E-mail Address: xxxxxxxxxxxx
Billing Address:
370 Id
GAHANNA
United States
Phone: 1-564-536-5200

Order Grand Total: $ 55.99
   
Earn 3% rewards on your Amazon.com orders with the Amazon Visa Card. Learn More

Order Summary:
Details:
Order #:     O10-8086470-1458769
Subtotal of items:     $ 55.99
    ------
Total before tax:     $ 55.99
Tax Collected:     $0.00
    ------
Grand Total:     $ 50.00
Gift Certificates:     $ 5.99
    ------
Total for this Order:     $ 55.99

The following item is auto-delivered to your Kindle or other device. You can view more information about this order by clicking on the title on the Manage Your Kindle page at Amazon.com.
The Promise: A Novel [Kindle Edition] $ 55.99
Sold By: Random House Digital, Inc.

You can review your orders in Your Account. If you've explored the links on that page but still have a question, please visit our online Help Department.

Please note: This e-mail was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

Thanks again for shopping with us.

Amazon.com
Earth's Biggest Selection

Prefer not to receive HTML mail? Click here

The victim bounces through a random hacked site and is delivered to a malicious payload on [donotclick]cool-mail.net/main.php?page=640db37c90c88306 (report here) which is hosted on 84.106.114.97 (Ziggo, Netherlands).


Of some note is the fact that the domain is privacy protected.. normally they just supply fake details. Nameservers are provided by the ns1.grapecomputers.net (31.170.106.39, Bradler & Krantz, Germany) and ns2.grapecomputers.net (77.144.63.18, SFR, France).

The following domains are also associated with these malicious sites and should be avoided:
lifelovework.net
bestcompdefence.net
sitkatacotruck.com
yoursystemdefender.com


which are associated with several other scam and malware sites.

"[Confirm] 2012 Olympic Draw Note Attach" spam

Frankly I can be a curmudgeonly so-and-so when it comes to big events that I have to pay for out of my taxes, and the Olympics is one of them. But it's a bit late to hand it to the French I suppose, so I was quite pleased to get this email from the "British Olympic and United Kingdom National Lottery" saying that I had won £950,000

http://www.justlottery.com/all-results/UK-Lotto.html

Congratulations

We will like to inform you that your e-mail address has won the sum of £950.000.00 from monthly British Olympic and United Kingdom National Lottery Promotion award held on 1st June, 2012. Your e-mail address was chosen for this promotion as one of the lucky e-mail address through our computer ballot system in British national lottery.




http://www.justlottery.com/all-results/UK-Lotto.html

Ref: UK/9420X2/68.
Winning No: 01 06 2012: (05) (06) (34) (42) (45) (46) BB (22)

You are hereby advised to contact our authorized coordinator and provide the above information to avoid delays/mistake.

Payment Coordinator
Mr. Justin King
Email: uk.kingagency1@live.com OR inforwin1@games.com
Tel: +44-702-407-2224.

MOBILE ONLINE DOCUMENTATION FORM

Full Names: ……………………………….
Contact Address: ………………………….
Nationality: ……………………………….
Country of Resident: ………………….......
Contact Number: ………………………….
Occupation: ……………………………….
Winning Email: …………………………...
Your Age: …………………………………
Sex: ………………………………………..
Ref. Number: ………………………………
Winning No: ………………………………
Beneficiary Amount: ………………………

Yours Faithfully,
Dr. Steve Heinderson
Director Customer Service/Claims Dept.

Of course, it's all a scam. The email originates from 216.172.135.112 (EGIHosting / AFNCA) which claims to be based in the US, but I've seen this ISP so often with Advanced Fee Fraud emails that it may as well be in Lagos.